Menu
▾
▴
Re: [Ipsec-tools-devel] Hanging Connection
|
From: Stephen C. <scl...@ea...> - 2012-09-18 13:26:59
|
On 09/18/2012 08:41 AM, Rainer Weikusat wrote: > Tobias Dinse<tob...@st...> writes: > >> We have only 4 SA´s. I attached the Configuration file. It only laggs >> on Connection over the Internet Gateway (where racoon is running >> there). Pings between the other Servers in the internal Networks are >> fine. We already tried to switch the Cable / NIC and to our Backup >> Gateways Server. CPU / Mem isnt hight and Racoon not going crazy. >> >> After restarting Racoon / rebooting the Server all works fine. I m >> happy about any hint. >> > As I already wrote: racoon does not handle any actual data traffic, it > just configures the kernel to handle that in a particular way. If you > stop it, it will send a SADB_FLUSH message to the kernel, causing all > kernel SAs to be deleted, and then send iskamp delete payloads for all > ph2 SAs known to it to the respective peers. This could theoretically > help with an in-kernel performance issue if there are (for some > reason) lots and lots of kernel SAs (xfrm states, actually) and > because of this, searching for a matching xfrm state for a datagram > supposed to be processed takes a long time. A similar problem could > exist for xfrm policies. Both of these possibilities are IMO rather > far fetched but checking them (hopefully :-) can't hurt. You can > display all kernel SAs (on Linux) indepdendently of racoon with ip > xfrm state and all policies with ip xfrm pol. Equivalent setkey > commands would be setkey -D and setkey -D -P. Lastly, racoonctl ss > ipsec can be used to display all kernel SAs/ xfrm states with the help > of the daemon itself. > Hi, Is there ip xfrm commands that show all the info that you get with setkey -D like current bytes, state, date created, etc Because I didn't see any when I did ip xfrm state and nothing in the man page on ip but there have been undocumented features of ip command. > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Ipsec-tools-devel mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel > > -- "They that give up essential liberty to obtain temporary safety, deserve neither liberty nor safety." (Ben Franklin) "The course of history shows that as a government grows, liberty decreases." (Thomas Jefferson) |
