IPsec (VTI) memory leak.



  • Hi. I had a pfsense box at a remote site crash on me today. I suspect there is a memory leak relating to the implmentation of IPsec on pfSense.

    I run a VTI tunnel back to my core router. I enabled a giant new recurring backup job yesterday. The backup job began at 11:30 PM.

    Core router:

    f079218c-d936-4bbb-9c42-32cad1176147-image.png

    Branch router:

    019281fb-6604-45c3-8f5e-50bc4c09059e-image.png

    My core router was able to handle the additional load; as you can see the branch router did not. How can I confirm that this is indeed related to a memory leak? Thanks.


  • Rebel Alliance Developer Netgate

    To get a better idea, you will need to check and track the usage of individual processes over time.

    Just because the data is flowing over IPsec doesn't necessarily mean it's directly related to IPsec.

    Also, FreeBSD will attempt to use as much RAM as possible for things like caching, because free RAM is wasted RAM. It's normal for RAM usage to be high. You need only worry when processes start crashing/dying.



  • @jimp So I don't have definitive proof but both my core router and branch router started swapping out. My branch router filled up its swap then crashed. My core router would have crashed also but it has 32 GB of RAM while my branch router only has 16 GB of RAM. The memory usage tracks exactly with the backup job.

    Core router memory overview including swap usage:

    86018311-ff80-4f6e-b75d-d9e87f6688d2-image.png

    Branch router memory overview including swap usage:

    8f08546d-07dd-419b-a5a2-c71ed244eb9a-image.png

    For the time being I am moving all my tunnels that I can over to OpenVPN. This is unfortunate as OpenVPN does not get good performance and I have some remote sites with Fortigate firewalls. Fortigate does not support OpenVPN.


Log in to reply