High CPU load (100% on one core) when enabling Phase 1

b_chris

Hi,
I tried to set up an IPsec server for my mobile devices following this guide: https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-mobile-ikev2-eap-mschapv2.html#ikev2-server-configuration

Right after configuring the Phase 1 (exactly like described) one core faces a 100% load caused by the charon process. As soon as I disable the Phase 1 my system is back to normal. At this point I didn't even configure a Phase 2.

pfSense is on the latest 2.5.2.
Is this a known issue? Can this be caused by some misconfiguration? I didn't find any useful logs that could help debugging.

Thanks

USER      PID  %CPU %MEM     VSZ    RSS TT  STAT STARTED        TIME COMMAND
root       11 240.5  0.0       0     64  -  RNL  Sat14   23700:57.32 [idle]
root    73035  87.3  0.6   70932  23644  -  S    21:26       0:19.21 /usr/local/libexec/ipsec/charon --use-syslog

jimp

I haven't seen that happen here, but one thing that may be contributing: You should not apply the settings until your configuration is complete. Until it has a proper set of P2 entries for that mobile P1, it's not a valid configuration state.

So don't apply any time you see the button, only at the very end of the process.

b_chris

@jimp Thank you for your fast reply.
You made a valid point. Therefore I wiped my IPsec configuration and started from scratch using the above mentioned guide.
Unfortunately also after applying only after finishing the configuration I ended up in the same situation: 100% load on one core.
Only disabling the Phase 1 solves this.
I don't see any related entries in the system.log and the IPsec.log is not even present at this point.
Anywhere else I can look to get an indication of what is happening here?

Thank you

jimp

Normally the IPsec log would be the place to look. You're sure there isn't anything in there? It should at least be logging the startup and loading the configuration before it reached that point.

b_chris

Yes, unfortunately there is no file like /var/log/ipsec.log
But what is strange: On previous attempts I remember that those files where present...

I think I'll try to reboot my box tomorrow and see if this changes the behavior and if I'll get at least log files.
I'll keep you updated.

b_chris

@jimp
After a restart I saw an empty ipsec.log again. When enabling the fully configured IPSec VPN the logfile grew to somewhere around 30-40MB within a few seconds. The logfile was spammed by those lines:

Aug  6 19:15:26 pfSense charon[55908]: 02[CFG] error in C_WaitForSlotEvent: GENERAL_ERROR
Aug  6 19:15:26 pfSense charon[55908]: 02[CFG] C_GetSlotInfo failed: SLOT_ID_INVALID
Aug  6 19:15:26 pfSense charon[55908]: 02[CFG] error in C_WaitForSlotEvent: GENERAL_ERROR
Aug  6 19:15:26 pfSense charon[55908]: 02[CFG] C_GetSlotInfo failed: SLOT_ID_INVALID
Aug  6 19:15:26 pfSense charon[55908]: 02[CFG] error in C_WaitForSlotEvent: GENERAL_ERROR
Aug  6 19:15:26 pfSense charon[55908]: 02[CFG] C_GetSlotInfo failed: SLOT_ID_INVALID
Aug  6 19:15:26 pfSense charon[55908]: 02[CFG] error in C_WaitForSlotEvent: GENERAL_ERROR
Aug  6 19:15:26 pfSense charon[55908]: 02[CFG] C_GetSlotInfo failed: SLOT_ID_INVALID
Aug  6 19:15:26 pfSense charon[55908]: 00[DMN] SIGTERM received, shutting down

I‘m not at home atm so my possibilities for further analysis is a bit limited… But as far as I can see those messages start right after:

Aug  6 19:15:03 pfSense charon[55908]: 00[JOB] spawning 16 worker threads

jimp

Those errors look like what happens when pcscd isn't running when the IPsec daemon expects it to be. Did you stop or disable that service somehow?

There is a patch to disable it properly on https://redmine.pfsense.org/issues/11933

b_chris

@jimp you nailed it :) pcscd was not running because I thought, I don’t need it. Starting it again solved my issues. IPSec is up an running smoothly.

Thanks for your fast and competent help!

MichelZ

@jimp said in High CPU load (100% on one core) when enabling Phase 1:

Those errors look like what happens when pcscd isn't running when the IPsec daemon expects it to be. Did you stop or disable that service somehow?

There is a patch to disable it properly on https://redmine.pfsense.org/issues/11933

Disable properly means IPSec won't need it and won't have these errors in the log?

jimp

@michelz said in High CPU load (100% on one core) when enabling Phase 1:

Disable properly means IPSec won't need it and won't have these errors in the log?

Correct. When disabled with the patch, references to that daemon and/or its services are not present in the IPsec configuration, so the errors will not happen.