Menu
▾
▴
Re: [Ipsec-tools-devel] Hanging Connection
|
From: Larry B. <la...@gt...> - 2012-09-14 15:37:43
|
Tobias,
> we have a strange Problem since we are using Racoon for our VPN
> Connections. After a while (maybe 2-3 Weeks), we gain a lot of laggs and
> sporadic high pings on your Debian Servers.
>
> After Restarting Racoon all works fine for about 1-2 days. Than its
> again. If we reboot the Server the Problem is gone for 2-3 weeks. This
> Problem is 3 complete different Networks of 3 Customers. I can post the
> Configuration but first I want to ask if someone has an Idea if it could
> be a generally issue.
How many SAs do you have? We have a customer with large number of SAs
reporting a similar problem. In the file src/libipsec/pfkey.c in the
function pfkey_open() there is logic to try to set SO_RCVBUF to at
least 2MB. This is not enough for a very large number of SAs. The logic
here used to be based upon maxsockbuf size. We added this logic back to
the end of the function. See below for patch. For this patch to
be effective, you may need to increase maxsockbuf. Still waiting for
feedback from customer to see if this completely fixed their issue.
u_long bufsiz;
size_t len = sizeof(bufsiz);
if ( 0 == sysctlbyname( "kern.ipc.maxsockbuf", &bufsiz, &len, NULL, 0 )
) {
/* Round down to amount that can actually contain data.
As calulated by sysctl_handle_sb_max() in kern/uipc_sockbuf.c */
bufsiz_wanted = (int)((u_quad_t)bufsiz * MCLBYTES / (MSIZE + MCLBYT
ES));
if ( setsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz_wanted, sizeof(bu
fsiz_wanted)) )
syslog( LOG_WARNING,
"Unable to set pfkey receive buffer to %d; %s",
bufsiz_wanted,
strerror(errno) );
}
--
------------------------------------------------------------------------
Larry Baird
Global Technology Associates, Inc. 1992-2012 | http://www.gta.com
Celebrating Twenty Years of Software Innovation | Orlando, FL
Email: la...@gt... | TEL 407-380-0220
|
