Racoon(ipsec-tools) enters sbwait state or 100% CPU utilization quite often on RELENG_1_2

Scott Ullrich sullrich at gmail.com
Sat Aug 18 12:58:17 PDT 2007


On 8/18/07, VANHULLEBUS Yvan <vanhu_bsd at zeninc.net> wrote:
[snip]
> It really looks like an old "known" (well, at least known by me...)
> problem with PFKey interface: it is quite impossible to set up more
> than 50-100 tunnels on a standard FreeBSD (and probably any other KAME
> based stack), because some kind of socket related problems will happen
> when racoon will try to get the SPD or the SADB entries.
>
> When the problem occurs withe the SPD, racoon won't be able to
> negociate some tunnels (because it doesn't have the SPD entries in
> it's own table), when the problems occurs with the SADB, it can lead
> to the 100% CPU usage you have....
>
> Some workarounds are possible depending on your configuration, you may
> be able to reduce the number of used SAs (merge some phases2 with
> contiguous subnets, use REQUIRE instead of UNIQUE for some tunnels,
> etc...), but if you have 80 peers with each one only ONE phase2,
> that's another problem....
>
> To solve that problem, the only solution we found is to do a big PFKey
> hack, to have only one request/response, and all the SPD/SAD entries
> exchanged via a single buffer shared by kernel and racoon.
>
> I also know an old bug in sbspace macro (found in FreeBSD 4.x), but it
> seems it has been fixed at least in FreeBSD 6.

Thanks for the very detailed response.   We have worked around the
problem for now with a simple shell script that looks for racoon
falling over and simply restarting it.

Does anyone know if this is fixed in 7-CURRENT?  If so we can easily
wait until 7 arrives as we plan on releasing pfSense on the 7 platform
as soon as it is released.

George, would you like me to file a PR for this against 7-CURRENT?

Thanks again for all the responses.

Scott


More information about the freebsd-net mailing list