Re: [Ipsec-tools-devel] Hanging Connection

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Larry Baird <la...@gt...> writes:
>> we have a strange Problem since we are using Racoon for our VPN 
>> Connections. After a while (maybe 2-3 Weeks), we gain a lot of laggs and 
>> sporadic high pings on your Debian Servers.
>> 
>> After Restarting Racoon all works fine for about 1-2 days. Than its 
>> again. If we reboot the Server the Problem is gone for 2-3 weeks. This 
>> Problem is 3 complete different Networks of 3 Customers. I can post the 
>> Configuration but first I want to ask if someone has an Idea if it could 
>> be a generally issue.
> How many SAs do you have?  We have a customer with large number of SAs
> reporting a similar problem.  In the file src/libipsec/pfkey.c in the
> function pfkey_open() there is logic to try to set SO_RCVBUF to at
> least 2MB. This is not enough for a very large number of SAs.

Sorry to be so blunt but this is a totally weird idea. The various
SADB_DUMP based loops in racoon (used for SA deletion) may cause
performance issues because of the insane amount of needless copying of
data which needs to be done in order to delete single SA but this will
certainly not get better when increasing the number of messages
received in reply to a SADB_DUMP request.