Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    High CPU load (100% on one core) when enabling Phase 1

    Scheduled Pinned Locked Moved IPsec
    10 Posts 3 Posters 5.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      b_chris
      last edited by

      Hi,
      I tried to set up an IPsec server for my mobile devices following this guide: https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-mobile-ikev2-eap-mschapv2.html#ikev2-server-configuration

      Right after configuring the Phase 1 (exactly like described) one core faces a 100% load caused by the charon process. As soon as I disable the Phase 1 my system is back to normal. At this point I didn't even configure a Phase 2.

      pfSense is on the latest 2.5.2.
      Is this a known issue? Can this be caused by some misconfiguration? I didn't find any useful logs that could help debugging.

      Thanks

      USER      PID  %CPU %MEM     VSZ    RSS TT  STAT STARTED        TIME COMMAND
      root       11 240.5  0.0       0     64  -  RNL  Sat14   23700:57.32 [idle]
      root    73035  87.3  0.6   70932  23644  -  S    21:26       0:19.21 /usr/local/libexec/ipsec/charon --use-syslog
      
      
      1 Reply Last reply Reply Quote 1
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        I haven't seen that happen here, but one thing that may be contributing: You should not apply the settings until your configuration is complete. Until it has a proper set of P2 entries for that mobile P1, it's not a valid configuration state.

        So don't apply any time you see the button, only at the very end of the process.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        B 1 Reply Last reply Reply Quote 1
        • B
          b_chris @jimp
          last edited by

          @jimp Thank you for your fast reply.
          You made a valid point. Therefore I wiped my IPsec configuration and started from scratch using the above mentioned guide.
          Unfortunately also after applying only after finishing the configuration I ended up in the same situation: 100% load on one core.
          Only disabling the Phase 1 solves this.
          I don't see any related entries in the system.log and the IPsec.log is not even present at this point.
          Anywhere else I can look to get an indication of what is happening here?

          Thank you

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Normally the IPsec log would be the place to look. You're sure there isn't anything in there? It should at least be logging the startup and loading the configuration before it reached that point.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            B 2 Replies Last reply Reply Quote 1
            • B
              b_chris @jimp
              last edited by

              Yes, unfortunately there is no file like /var/log/ipsec.log
              But what is strange: On previous attempts I remember that those files where present...

              I think I'll try to reboot my box tomorrow and see if this changes the behavior and if I'll get at least log files.
              I'll keep you updated.

              1 Reply Last reply Reply Quote 0
              • B
                b_chris @jimp
                last edited by

                @jimp
                After a restart I saw an empty ipsec.log again. When enabling the fully configured IPSec VPN the logfile grew to somewhere around 30-40MB within a few seconds. The logfile was spammed by those lines:

                Aug  6 19:15:26 pfSense charon[55908]: 02[CFG] error in C_WaitForSlotEvent: GENERAL_ERROR
                Aug  6 19:15:26 pfSense charon[55908]: 02[CFG] C_GetSlotInfo failed: SLOT_ID_INVALID
                Aug  6 19:15:26 pfSense charon[55908]: 02[CFG] error in C_WaitForSlotEvent: GENERAL_ERROR
                Aug  6 19:15:26 pfSense charon[55908]: 02[CFG] C_GetSlotInfo failed: SLOT_ID_INVALID
                Aug  6 19:15:26 pfSense charon[55908]: 02[CFG] error in C_WaitForSlotEvent: GENERAL_ERROR
                Aug  6 19:15:26 pfSense charon[55908]: 02[CFG] C_GetSlotInfo failed: SLOT_ID_INVALID
                Aug  6 19:15:26 pfSense charon[55908]: 02[CFG] error in C_WaitForSlotEvent: GENERAL_ERROR
                Aug  6 19:15:26 pfSense charon[55908]: 02[CFG] C_GetSlotInfo failed: SLOT_ID_INVALID
                Aug  6 19:15:26 pfSense charon[55908]: 00[DMN] SIGTERM received, shutting down
                
                

                I‘m not at home atm so my possibilities for further analysis is a bit limited… But as far as I can see those messages start right after:

                Aug  6 19:15:03 pfSense charon[55908]: 00[JOB] spawning 16 worker threads
                
                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  Those errors look like what happens when pcscd isn't running when the IPsec daemon expects it to be. Did you stop or disable that service somehow?

                  There is a patch to disable it properly on https://redmine.pfsense.org/issues/11933

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  B M 2 Replies Last reply Reply Quote 5
                  • B
                    b_chris @jimp
                    last edited by

                    @jimp you nailed it :) pcscd was not running because I thought, I don’t need it. Starting it again solved my issues. IPSec is up an running smoothly.

                    Thanks for your fast and competent help!

                    1 Reply Last reply Reply Quote 1
                    • M
                      MichelZ @jimp
                      last edited by

                      @jimp said in High CPU load (100% on one core) when enabling Phase 1:

                      Those errors look like what happens when pcscd isn't running when the IPsec daemon expects it to be. Did you stop or disable that service somehow?

                      There is a patch to disable it properly on https://redmine.pfsense.org/issues/11933

                      Disable properly means IPSec won't need it and won't have these errors in the log?

                      jimpJ 1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate @MichelZ
                        last edited by

                        @michelz said in High CPU load (100% on one core) when enabling Phase 1:

                        Disable properly means IPSec won't need it and won't have these errors in the log?

                        Correct. When disabled with the patch, references to that daemon and/or its services are not present in the IPsec configuration, so the errors will not happen.

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.