From owner-freebsd-stable@FreeBSD.ORG Tue Mar 15 17:40:37 2005 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C69616A4CE; Tue, 15 Mar 2005 17:40:37 +0000 (GMT) Received: from avscan2.sentex.ca (avscan2.sentex.ca [199.212.134.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0479943D1D; Tue, 15 Mar 2005 17:40:37 +0000 (GMT) (envelope-from mike@sentex.net) Received: from localhost (localhost.sentex.ca [127.0.0.1]) by avscan2.sentex.ca (8.12.11/8.12.11) with ESMTP id j2FHeamT055115; Tue, 15 Mar 2005 12:40:36 -0500 (EST) (envelope-from mike@sentex.net) Received: from avscan2.sentex.ca ([127.0.0.1]) by localhost (avscan2.sentex.ca [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 54599-07; Tue, 15 Mar 2005 12:40:36 -0500 (EST) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by avscan2.sentex.ca (8.12.11/8.12.11) with ESMTP id j2FHeaA2055109; Tue, 15 Mar 2005 12:40:36 -0500 (EST) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.11/8.12.11) with ESMTP id j2FHeTfH068384; Tue, 15 Mar 2005 12:40:29 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <6.2.1.2.0.20050315112131.054b56f8@64.7.153.2> X-Mailer: QUALCOMM Windows Eudora Version 6.2.1.2 Date: Tue, 15 Mar 2005 12:39:26 -0500 To: freebsd-stable@freebsd.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavisd-new X-Virus-Scanned: by amavisd-new at avscan2b Subject: RELENG_5 and FAST_IPSEC limits X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Mar 2005 17:40:37 -0000 Hi, We are running into a case where there are too many SAs, and doing a setkey -D would fail with a "recv: Resource temporarily unavailable" after displaying most of the associations. Is there a way to get around this, or is there a hard limit ? # setkey -D | grep ^172 | wc 186 372 5096 When the remotes are renegotiating, and there are a lot of tunnels in the state of mature and dying, this number can go up to 341, but not higher. This also seems to send racoon into a hung state that we then need to kill off and restart. It was suggested in a post that /usr/src/sys/net/raw_cb.h get changed from #define RAWSNDQ 8192 #define RAWRCVQ 8192 to something larger like #define RAWSNDQ 24576 #define RAWRCVQ 24576 If this is the underlying issue, will it work on its own, or are there other values that need to be tuned ? Will I need to recompile any userland apps (e.g. racoon, setkey) and are there any other values I would need to adjust ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike