From owner-freebsd-stable@FreeBSD.ORG Tue Mar 15 21:21:30 2005 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 478A516A4CE for ; Tue, 15 Mar 2005 21:21:30 +0000 (GMT) Received: from ebb.errno.com (ebb.errno.com [66.127.85.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id EB2FB43D49 for ; Tue, 15 Mar 2005 21:21:29 +0000 (GMT) (envelope-from sam@errno.com) Received: from [66.127.85.91] (sam@[66.127.85.91]) (authenticated bits=0) by ebb.errno.com (8.12.9/8.12.6) with ESMTP id j2FLLQms098125 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 15 Mar 2005 13:21:29 -0800 (PST) (envelope-from sam@errno.com) Message-ID: <4237523B.7090005@errno.com> Date: Tue, 15 Mar 2005 13:23:07 -0800 From: Sam Leffler User-Agent: Mozilla Thunderbird 1.0RC1 (X11/20041208) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Mike Tancsa References: <6.2.1.2.0.20050315112131.054b56f8@64.7.153.2> In-Reply-To: <6.2.1.2.0.20050315112131.054b56f8@64.7.153.2> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-stable@freebsd.org Subject: Re: RELENG_5 and FAST_IPSEC limits X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Mar 2005 21:21:30 -0000 Mike Tancsa wrote: > Hi, > > We are running into a case where there are too many SAs, and doing a > setkey -D would fail with a > > "recv: Resource temporarily unavailable" > > after displaying most of the associations. > > Is there a way to get around this, or is there a hard limit ? > > # setkey -D | grep ^172 | wc > 186 372 5096 > > When the remotes are renegotiating, and there are a lot of tunnels in > the state of mature and dying, this number can go up to 341, but not > higher. This also seems to send racoon into a hung state that we then > need to kill off and restart. > > It was suggested in a post that /usr/src/sys/net/raw_cb.h get changed from > > > #define RAWSNDQ 8192 > #define RAWRCVQ 8192 > > to something larger like > > #define RAWSNDQ 24576 > #define RAWRCVQ 24576 > > If this is the underlying issue, will it work on its own, or are there > other values that need to be tuned ? Will I need to recompile any > userland apps (e.g. racoon, setkey) and are there any other values I > would need to adjust Looks like you're hitting the limit on returning status information through a PF_KEY socket. FWIW this is not related to FAST_IPSEC; it's an issue with PF_KEY and is common to both IPsec implementations. Upping the raw socket buffer sizes should permit more information to be returned but you may always exceed this limit as you can create more SA's than can be reported in a single msg. Some groups have dealt with this by changing the PF_KEY api, e.g. to report an incomplete msg so the user-mode app can retrieve more data with additional reads. If upping the socket buffer limits doesn't help then you might search for patches. Sam