Date: Tue, 15 Mar 2005 12:39:26 -0500 From: Mike Tancsa <mike@sentex.net> To: freebsd-stable@freebsd.org Subject: RELENG_5 and FAST_IPSEC limits Message-ID: <6.2.1.2.0.20050315112131.054b56f8@64.7.153.2>
next in thread | raw e-mail | index | archive | help
Hi,
We are running into a case where there are too many SAs, and doing a setkey
-D would fail with a
"recv: Resource temporarily unavailable"
after displaying most of the associations.
Is there a way to get around this, or is there a hard limit ?
# setkey -D | grep ^172 | wc
186 372 5096
When the remotes are renegotiating, and there are a lot of tunnels in the
state of mature and dying, this number can go up to 341, but not
higher. This also seems to send racoon into a hung state that we then need
to kill off and restart.
It was suggested in a post that /usr/src/sys/net/raw_cb.h get changed from
#define RAWSNDQ 8192
#define RAWRCVQ 8192
to something larger like
#define RAWSNDQ 24576
#define RAWRCVQ 24576
If this is the underlying issue, will it work on its own, or are there
other values that need to be tuned ? Will I need to recompile any userland
apps (e.g. racoon, setkey) and are there any other values I would need to
adjust
---Mike
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.2.1.2.0.20050315112131.054b56f8>