From owner-freebsd-net@FreeBSD.ORG Sat Aug 18 19:58:17 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2986316A418 for ; Sat, 18 Aug 2007 19:58:17 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.180]) by mx1.freebsd.org (Postfix) with ESMTP id 008CC13C481 for ; Sat, 18 Aug 2007 19:58:16 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: by wa-out-1112.google.com with SMTP id m33so300940wag for ; Sat, 18 Aug 2007 12:58:16 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=NvhzaN7rGYxKVLzL7dN1s62k5fsJmbV3qCGJpRaAdKqTjFF58ascmQVYu/XSuJ3A+mBwfwfd/6YJBWBbPDJAgl8sY6vRnlPsBM1RNFSXFXU8Do4MY8a1jbn8MENVoGgQXWVRqrk/srGx4vZ6y6hgVIekks34dFj9TIlcRSlsv7o= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=e7IBdvQSwanyQbbi/ba03zOQKIH7SB8nb5J8X43wF4xOCTuqraez3IEEapdLDwfO9SgKPUcntYp8q2kHyEyf3Vcb0tEQr773i6PTmXs4ZaWOR0+cRVZf/lOojfBLD2qPgZJSdQCstxykCNZBw58Z53hev+swTVyZjzjQfapr1Qg= Received: by 10.114.131.9 with SMTP id e9mr657443wad.1187467096198; Sat, 18 Aug 2007 12:58:16 -0700 (PDT) Received: by 10.114.76.7 with HTTP; Sat, 18 Aug 2007 12:58:16 -0700 (PDT) Message-ID: Date: Sat, 18 Aug 2007 15:58:16 -0400 From: "Scott Ullrich" To: "VANHULLEBUS Yvan" In-Reply-To: <20070818102803.GA1319@jayce.zen.inc> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20070818102803.GA1319@jayce.zen.inc> Cc: freebsd-net@freebsd.org Subject: Re: Racoon(ipsec-tools) enters sbwait state or 100% CPU utilization quite often on RELENG_1_2 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Aug 2007 19:58:17 -0000 On 8/18/07, VANHULLEBUS Yvan wrote: [snip] > It really looks like an old "known" (well, at least known by me...) > problem with PFKey interface: it is quite impossible to set up more > than 50-100 tunnels on a standard FreeBSD (and probably any other KAME > based stack), because some kind of socket related problems will happen > when racoon will try to get the SPD or the SADB entries. > > When the problem occurs withe the SPD, racoon won't be able to > negociate some tunnels (because it doesn't have the SPD entries in > it's own table), when the problems occurs with the SADB, it can lead > to the 100% CPU usage you have.... > > Some workarounds are possible depending on your configuration, you may > be able to reduce the number of used SAs (merge some phases2 with > contiguous subnets, use REQUIRE instead of UNIQUE for some tunnels, > etc...), but if you have 80 peers with each one only ONE phase2, > that's another problem.... > > To solve that problem, the only solution we found is to do a big PFKey > hack, to have only one request/response, and all the SPD/SAD entries > exchanged via a single buffer shared by kernel and racoon. > > I also know an old bug in sbspace macro (found in FreeBSD 4.x), but it > seems it has been fixed at least in FreeBSD 6. Thanks for the very detailed response. We have worked around the problem for now with a simple shell script that looks for racoon falling over and simply restarting it. Does anyone know if this is fixed in 7-CURRENT? If so we can easily wait until 7 arrives as we plan on releasing pfSense on the 7 platform as soon as it is released. George, would you like me to file a PR for this against 7-CURRENT? Thanks again for all the responses. Scott