Date: Tue, 15 Mar 2005 12:39:26 -0500 From: Mike Tancsa <mike@sentex.net> To: freebsd-stable@freebsd.org Subject: RELENG_5 and FAST_IPSEC limits Message-ID: <6.2.1.2.0.20050315112131.054b56f8@64.7.153.2>
next in thread | raw e-mail | index | archive | help
Hi, We are running into a case where there are too many SAs, and doing a setkey -D would fail with a "recv: Resource temporarily unavailable" after displaying most of the associations. Is there a way to get around this, or is there a hard limit ? # setkey -D | grep ^172 | wc 186 372 5096 When the remotes are renegotiating, and there are a lot of tunnels in the state of mature and dying, this number can go up to 341, but not higher. This also seems to send racoon into a hung state that we then need to kill off and restart. It was suggested in a post that /usr/src/sys/net/raw_cb.h get changed from #define RAWSNDQ 8192 #define RAWRCVQ 8192 to something larger like #define RAWSNDQ 24576 #define RAWRCVQ 24576 If this is the underlying issue, will it work on its own, or are there other values that need to be tuned ? Will I need to recompile any userland apps (e.g. racoon, setkey) and are there any other values I would need to adjust ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.2.1.2.0.20050315112131.054b56f8>