Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Lots of SPIs for one tunnel - High RAM ?

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 264 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dr0ne
      last edited by

      Hi,

      I'm experiencing a lot of SPIs created (267) for a tunnel running from A to C, while running a tunnel from B to C with exactly the same configuration just results in 4 SPIs created.

      Site A
      ipsec status con3 | grep INSTALLED | wc -l
      267

      Site B
      ipsec status con2 | grep INSTALLED | wc -l
      4

      Any idea what might cause this behaviour ? I think this is what slowly fills up my RAM on Site A untill the box doesn't respond anymore...

      ThanK you in advance.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Highly doubtful those are filling your RAM but it could be causing issues.

        When a tunnel is rekeyed the old one is kept around until its lifetime expires.

        I would look at the IPsec logs and see who is initiating the tunnels when one already exists. When that is determined, attempt to figure out why they are doing that.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.