High CPU usage with IPSec

Medalha · Oct 27, 2021, 4:38 PM

After an upgrade to pfsense 2.5.2 I noticed an abnormal use of RAM and swap space. Normally, swap is not even used. I googled the issue and looks like there's a memory leak with the pcscd (PC/SC Smart Card Daemon) service. I thought that I don't need this service so I disabled it.

Then CPU usage jumped to 100%. In Diagnostics/System activity there are a bunch of entries with CPU between 90 and 100%, referring to:

bzip2 -f /var/log/ipsec.log.1
bzip2 -f /var/log/ipsec.log.2
bzip2 -f /var/log/ipsec.log.3
bzip2 -f /var/log/ipsec.log.4
bzip2 -f /var/log/ipsec.log.5
bzip2 -f /var/log/ipsec.log.6

I disabled compression of log file rotation. CPU usage is still too high, and I noticed the following:

PID USERNAME PRI NICE SIZE RES STATE C TIME WCPU COMMAND
68756 root 103 0 11M 2648K CPU2 2 3:04 100.00% /usr/sbin/syslogd -O rfc3164 -s -c -c -l /var/dhcpd/var/run/log -P /var/run/syslog.pid -f /etc/syslog.conf
81811 root 103 0 69M 20M CPU1 1 1:21 100.00% /usr/local/libexec/ipsec/charon --use-syslog{charon}

Now, if I enable pcscd, CPU usage drops to 7 to 9% but then RAM is filling up again.

I am pretty sure that it didn't happen with the previous version of pf sense. Than you.

I can see that there's a related bug report here:
https://redmine.pfsense.org/issues/12468

But when I try to download the fix from:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/431

I get a site timeout, server unavailable.

SteveITS · Oct 27, 2021, 8:21 PM

@medalha said in High CPU usage with IPSec:

https://redmine.pfsense.org/issues/12468

Here's a post referencing the patch by ID:
https://forum.netgate.com/post/1007737

And yes per postings here (as mentioned in that thread) just stopping it while IPSec is in use will cause IPSec problems.

Medalha · Oct 27, 2021, 8:58 PM

@steveits Patch applied. Looks good so far. Thank you!

MrKoen · Nov 4, 2021, 5:48 PM

@steveits Encountered the same issue here. Applying the patch seems to fix it. Thanks!

Medalha · Nov 4, 2021, 7:43 PM

@mrkoen I applied the patch eight days ago. All is good, the patch does work.

SteveITS · Jan 4, 2022, 8:43 PM

Just ran into this ourselves...on this router back in late September I stopped pcscd but I didn't bother installing the patch since 21.09 was presumably imminent. Fast forward a few months and we're setting up IPSec, with pcscd long stopped. Diag/activity showed 88% idle at the top, yet had the lines for charon and syslogd and the idle/CPU entries were only a few percent. Starting pcscd dropped CPU use to normal. Patch + stop IPSec + stop pcscd + start IPSec fixed it.

Medalha · Jan 4, 2022, 11:55 PM

This post is deleted!