• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

High CPU load (100% on one core) when enabling Phase 1

Scheduled Pinned Locked Moved IPsec
10 Posts 3 Posters 5.8k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    b_chris
    last edited by Aug 4, 2021, 7:32 PM

    Hi,
    I tried to set up an IPsec server for my mobile devices following this guide: https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-mobile-ikev2-eap-mschapv2.html#ikev2-server-configuration

    Right after configuring the Phase 1 (exactly like described) one core faces a 100% load caused by the charon process. As soon as I disable the Phase 1 my system is back to normal. At this point I didn't even configure a Phase 2.

    pfSense is on the latest 2.5.2.
    Is this a known issue? Can this be caused by some misconfiguration? I didn't find any useful logs that could help debugging.

    Thanks

    USER      PID  %CPU %MEM     VSZ    RSS TT  STAT STARTED        TIME COMMAND
    root       11 240.5  0.0       0     64  -  RNL  Sat14   23700:57.32 [idle]
    root    73035  87.3  0.6   70932  23644  -  S    21:26       0:19.21 /usr/local/libexec/ipsec/charon --use-syslog
    
    
    1 Reply Last reply Reply Quote 1
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Aug 4, 2021, 7:39 PM

      I haven't seen that happen here, but one thing that may be contributing: You should not apply the settings until your configuration is complete. Until it has a proper set of P2 entries for that mobile P1, it's not a valid configuration state.

      So don't apply any time you see the button, only at the very end of the process.

      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      B 1 Reply Last reply Aug 4, 2021, 7:51 PM Reply Quote 1
      • B
        b_chris @jimp
        last edited by Aug 4, 2021, 7:51 PM

        @jimp Thank you for your fast reply.
        You made a valid point. Therefore I wiped my IPsec configuration and started from scratch using the above mentioned guide.
        Unfortunately also after applying only after finishing the configuration I ended up in the same situation: 100% load on one core.
        Only disabling the Phase 1 solves this.
        I don't see any related entries in the system.log and the IPsec.log is not even present at this point.
        Anywhere else I can look to get an indication of what is happening here?

        Thank you

        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Aug 4, 2021, 8:03 PM

          Normally the IPsec log would be the place to look. You're sure there isn't anything in there? It should at least be logging the startup and loading the configuration before it reached that point.

          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          B 2 Replies Last reply Aug 4, 2021, 8:06 PM Reply Quote 1
          • B
            b_chris @jimp
            last edited by Aug 4, 2021, 8:06 PM

            Yes, unfortunately there is no file like /var/log/ipsec.log
            But what is strange: On previous attempts I remember that those files where present...

            I think I'll try to reboot my box tomorrow and see if this changes the behavior and if I'll get at least log files.
            I'll keep you updated.

            1 Reply Last reply Reply Quote 0
            • B
              b_chris @jimp
              last edited by Aug 6, 2021, 5:27 PM

              @jimp
              After a restart I saw an empty ipsec.log again. When enabling the fully configured IPSec VPN the logfile grew to somewhere around 30-40MB within a few seconds. The logfile was spammed by those lines:

              Aug  6 19:15:26 pfSense charon[55908]: 02[CFG] error in C_WaitForSlotEvent: GENERAL_ERROR
              Aug  6 19:15:26 pfSense charon[55908]: 02[CFG] C_GetSlotInfo failed: SLOT_ID_INVALID
              Aug  6 19:15:26 pfSense charon[55908]: 02[CFG] error in C_WaitForSlotEvent: GENERAL_ERROR
              Aug  6 19:15:26 pfSense charon[55908]: 02[CFG] C_GetSlotInfo failed: SLOT_ID_INVALID
              Aug  6 19:15:26 pfSense charon[55908]: 02[CFG] error in C_WaitForSlotEvent: GENERAL_ERROR
              Aug  6 19:15:26 pfSense charon[55908]: 02[CFG] C_GetSlotInfo failed: SLOT_ID_INVALID
              Aug  6 19:15:26 pfSense charon[55908]: 02[CFG] error in C_WaitForSlotEvent: GENERAL_ERROR
              Aug  6 19:15:26 pfSense charon[55908]: 02[CFG] C_GetSlotInfo failed: SLOT_ID_INVALID
              Aug  6 19:15:26 pfSense charon[55908]: 00[DMN] SIGTERM received, shutting down
              
              

              Iโ€˜m not at home atm so my possibilities for further analysis is a bit limitedโ€ฆ But as far as I can see those messages start right after:

              Aug  6 19:15:03 pfSense charon[55908]: 00[JOB] spawning 16 worker threads
              
              1 Reply Last reply Reply Quote 0
              • J
                jimp Rebel Alliance Developer Netgate
                last edited by Aug 6, 2021, 5:56 PM

                Those errors look like what happens when pcscd isn't running when the IPsec daemon expects it to be. Did you stop or disable that service somehow?

                There is a patch to disable it properly on https://redmine.pfsense.org/issues/11933

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                B M 2 Replies Last reply Aug 7, 2021, 9:13 AM Reply Quote 5
                • B
                  b_chris @jimp
                  last edited by Aug 7, 2021, 9:13 AM

                  @jimp you nailed it :) pcscd was not running because I thought, I donโ€™t need it. Starting it again solved my issues. IPSec is up an running smoothly.

                  Thanks for your fast and competent help!

                  1 Reply Last reply Reply Quote 1
                  • M
                    MichelZ @jimp
                    last edited by Sep 23, 2021, 8:18 AM

                    @jimp said in High CPU load (100% on one core) when enabling Phase 1:

                    Those errors look like what happens when pcscd isn't running when the IPsec daemon expects it to be. Did you stop or disable that service somehow?

                    There is a patch to disable it properly on https://redmine.pfsense.org/issues/11933

                    Disable properly means IPSec won't need it and won't have these errors in the log?

                    J 1 Reply Last reply Sep 23, 2021, 12:06 PM Reply Quote 0
                    • J
                      jimp Rebel Alliance Developer Netgate @MichelZ
                      last edited by Sep 23, 2021, 12:06 PM

                      @michelz said in High CPU load (100% on one core) when enabling Phase 1:

                      Disable properly means IPSec won't need it and won't have these errors in the log?

                      Correct. When disabled with the patch, references to that daemon and/or its services are not present in the IPsec configuration, so the errors will not happen.

                      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 1
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received