Re: [Ipsec-tools-devel] Hanging Connection

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Tobias Dinse <tob...@st...> writes:
> We have only 4 SA´s. I attached the Configuration file. It only laggs
> on Connection over the Internet Gateway  (where racoon is running
> there). Pings between the other Servers in the internal Networks are
> fine. We already tried to switch the Cable / NIC and to our Backup
> Gateways Server. CPU / Mem isnt hight and Racoon not going crazy.
>
> After restarting Racoon / rebooting the Server all works fine. I m
> happy about any hint.

As I already wrote: racoon does not handle any actual data traffic, it
just configures the kernel to handle that in a particular way. If you
stop it, it will send a SADB_FLUSH message to the kernel, causing all
kernel SAs to be deleted, and then send iskamp delete payloads for all
ph2 SAs known to it to the respective peers. This could theoretically
help with an in-kernel performance issue if there are (for some
reason) lots and lots of kernel SAs (xfrm states, actually) and
because of this, searching for a matching xfrm state for a datagram
supposed to be processed takes a long time. A similar problem could
exist for xfrm policies. Both of these possibilities are IMO rather
far fetched but checking them (hopefully :-) can't hurt. You can
display all kernel SAs (on Linux) indepdendently of racoon with ip
xfrm state and all policies with ip xfrm pol. Equivalent setkey
commands would be setkey -D and setkey -D -P. Lastly, racoonctl ss
ipsec can be used to display all kernel SAs/ xfrm states with the help
of the daemon itself.