Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Normal charon memory usage?

    Scheduled Pinned Locked Moved IPsec
    18 Posts 6 Posters 6.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Stackmgr
      last edited by

      We have 2 pfSense boxes.  Each runs version 2.2.3 and each has constant memory leaks.  One box has 65+ tunnels and consumes 1 gig of RAM every 2 days.  The other has 3 tunnels and 4 gigs of RAM and takes months to consume all that RAM.  But RDD graphs show it is slowly eating it's way through the RAM.

      The box with the 65 tunnels has been running for 5+ years.  It started consuming RAM when it was updated to 2.2.2 (We went from 2.1.5 to 2.2.2).

      Neither box had a problem with version 2.1.5, so I don't think it's a NIC issue.

      1 Reply Last reply Reply Quote 0
      • ?
        Guest
        last edited by

        We have 2 pfSense boxes.  Each runs version 2.2.3 and each has constant memory leaks.

        Perhaps a daemon leaks in the new version, could be.

        One box has 65+ tunnels and consumes 1 gig of RAM every 2 days.

        Ok for sure this is a huge amount of VPN tunnels, but can you not flush the logs from the
        RAM after a while? Or are this all new build VPN keys that wasted your RAM?

        The other has 3 tunnels and 4 gigs of RAM and takes months to consume all that RAM.

        Thats the exactly point I want to drive your attention on! Low amount of tunnels low or slow RAM usage
        and many tunnels with fast and/or huge amount of RAM usage.

        The box with the 65 tunnels has been running for 5+ years.

        Ok for sure I can understand your point now a little bit better, and I really don´t know how to say it
        without making you perhaps angry, but this was not FreeBSD 10 or 10.1 as basis of your pfSense!
        The last 5 years I really mean, right? And so perhaps since the change of 2.1.5 to 2.2.2 and up to
        2.2.3 something was changing really, so that now your long time proofen setup is not running smooth
        and liquid anymore and you might change something or plain adjust something like the mbufs size perhaps
        that you will not running out of RAM in the future.

        Ok what I really want to say is the following:
        In older times and loiwer versions of FreeBSD and also then on top pfSense, because it is based on FreeBSD
        has had a let us call it, very old problem with the kernel buffer size, that comes from older days, allright?

        And now a newer version from FreeBSD, let us imagine ;-) is trying to solve this problem out
        and let the FreeBSD users and of course also the pfSense users freeing some of this kernel memory
        by setting up, under version 10.1, the mbufs size, to free the kernel memory, the memory usage will
        be also there but not freezing the box, ok?

        And I want to trigger you now to this exactly point to try this out, ok? Not more but also not less!
        I was getting out this by reading another forums thread I couldn´t find at the moment now, what
        is really sad related to my very poor english language skills I must say!

        1 Reply Last reply Reply Quote 0
        • D
          djamp42
          last edited by

          I am running

          • pfSense AMD64 2.2.3

          • AMD Athlon™ II X4 640 Processor 4 CPUs: 1 package(s) x 4 core(s).

          • 2GB RAM

          We actually had the same amount of tunnels running on a box with dual core and 1gb ram for long time, that was 2.1.X and with racoon we never saw this issue.

          Attached is what the RRD graph looks like, when you see the spikes reset that's when it crashed. All the ones right in a row was us proactively rebooting it.

          I went through all my IPSEC tunnels and nothing seems out of place. I was wondering if anyone else out there has 100+ Ipsec tunnels and not having this issue?

          ipsec_memory_graph.JPG_thumb
          ipsec_memory_graph.JPG

          1 Reply Last reply Reply Quote 0
          • ?
            Guest
            last edited by

            We actually had the same amount of tunnels running on a box with dual core and 1gb ram for long time, that was 2.1.X and with racoon we never saw this issue.

            I imagine the same as above, related to the circumstance that the version jump from pfSense 2.1.x to version 2.2.2
            was also a version jump from FreeBSD 8.3 to 10.0.

            I was wondering if anyone else out there has 100+ Ipsec tunnels and not having this issue?

            And I am pretty sure they will be all, earlier or later, coming in the same trap as you.

            Perhaps stronger and more powerful hardware and a pit of more RAM will do it also, without tuning the mbufs
            size, but this is another story.

            1 Reply Last reply Reply Quote 0
            • S
              Stackmgr
              last edited by

              Mbufs are running at 4 to 7% of the default count while RAM is still being consumed.  Not sure how increasing the Mbuf max count will help.

              Logs are set for silent.  Clearing the log has no significant impact on RAM.

              1 Reply Last reply Reply Quote 0
              • ?
                Guest
                last edited by

                Not sure how increasing the Mbuf max count will help.

                Then please read this article that would it perhaps explaining some how better.
                Tuning FreeBSD to serve 100-200 thousands of connections

                1 Reply Last reply Reply Quote 0
                • C
                  cmb
                  last edited by

                  There is a memory leak of some sort in strongswan under some condition(s).

                  djamp42: that's the worst I've seen, by far. Especially bad on a system with 2 GB RAM. Could you PM me a copy of your config from <ipsec>to</ipsec> ? Can copy/paste off of status.php which should trim out PSK and cert data which is unnecessary.

                  1 Reply Last reply Reply Quote 0
                  • D
                    djamp42
                    last edited by

                    I have been changing all my pfsense - pfsense tunnels to IKEv2 as i upgrade them. I do have about 50 pfsense to cisco ASA tunnels that have to stay IKEv1 due to the issues with IKEv2. If someone has this working with a large amount of tunnels i would be more then happy to change my settings to see if it fixes it.

                    1 Reply Last reply Reply Quote 0
                    • D
                      djamp42
                      last edited by

                      Also we average about 20Mb/s inbound and 50Mb/s output on the ipsec interface. It sounds like i could be running into this issue?

                      https://wiki.strongswan.org/issues/964

                      1 Reply Last reply Reply Quote 0
                      • C
                        cmb
                        last edited by

                        @djamp42:

                        Also we average about 20Mb/s inbound and 50Mb/s output on the ipsec interface. It sounds like i could be running into this issue?

                        https://wiki.strongswan.org/issues/964

                        No, we don't use libipsec.

                        1 Reply Last reply Reply Quote 0
                        • S
                          stemond
                          last edited by

                          if you find a solution please post here

                          1 Reply Last reply Reply Quote 0
                          • C
                            cmb
                            last edited by

                            The most significant leaks are now fixed in 2.2.5.

                            1 Reply Last reply Reply Quote 0
                            • S
                              stemond
                              last edited by

                              Great Work!

                              1 Reply Last reply Reply Quote 0
                              • J
                                jwt Netgate
                                last edited by

                                @cmb:

                                The most significant leaks are now fixed in 2.2.5.

                                Well, we've patched around them, anyway.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.