Charon memory leak

  • There have been a number of reports of memory leaks related to Charon in v2.2.2 and v2.2.3.  Have these been fixed in v2.2.4?

  • Rebel Alliance Developer Netgate

    That would need to be fixed by the strongSwan project, and I don't think there has been a new version of strongSwan between 2.2.3 and 2.2.4, so the behavior is likely the same.

    There were other fixes for various IPsec configuration problems, but I wouldn't expect those to affect RAM usage/leaks.

  • That won't be different in 2.2.4 since it's still the same strongswan base version. That's happened on every 2.2.x version to some degree. It's something we'll dig into further and pursue upstream after 2.2.4.

  • Anyone have any luck fixing this, Mine is crashing every 4 to 5 days. If someone has a hub and spoke to IPSEC solution and has it working with at least 75 plus tunnels would you mind telling me what your Ph1 and Ph2 settings are. I would love to try something.

  • This is part of what I'm looking into this week, hopefully can have some details to get reported upstream.

    Any real world experiences and specifics on what you're using would be appreciated.

  • Hi,

    I have exactly the same problem on 2 VMWare instances.

    Version : 2.2.4 (amd64)
    Cryptographic Hardware : AESNI

    I have a mix of IKEv1 and IKEv2 protocols. Mostly AES128.

    I could share my obfuscated IPsec configuration if needed.

    I have to stop and start IPsec service. Restart don't free memory…

    Thanks cmb for your investigation

  • I also have a mix of IKEv1 and IKEv2, i would say my end points are 75% pfsense and 25% cisco ASA. Remote endpoints are anything from 1.2.3 to 2.2.4. Every box i upgrade to 2.2.X i change the tunnel to IKEv2.

    I'm only using PSK on all connections.
    All my pfsense to pfsense tunnels are 3DES MD5 for both ph1 and ph2
    All my pfsense to Cisco ASA tunnels are 3DES MD5 for ph1 and AES256 MD5 for ph2

    I have about 100 tunnels on pfsense 2.2.3 AMD64

    AMD Athlon™ II X4 640 Processor  4 CPUs: 1 package(s) x 4 core(s)
    2GB Ram

    Reboot or Restarting the IPSEC frees up memory for me. I have a copy of my latest crash report if you need one.

    None of my end points seem to have this problem. They only have 1 to 3 tunnels each on them.

    Thanks again cmb for looking at it!

  • Even my end points with 1 VPN tunnel are having this problem. It just takes an really long time for it to run out of memory. Here is a box that has been up for 63 days.

    root   33255   0.0 14.5 321168 298032  -  Is   15Jun15      7:33.03 /usr/local/libexec/ipsec/charon --use-syslog

    Attach is the 3 month graph.

    I've tried different ipsec settings but nothing seems to help. It seems charon is just broken.

  • How can you solved it ?

    Setting your tunnels  from IKEv1 to IKEv2 ?

  • I don't think you can. I've tried IKEv1 IKEv2 all sorts of different settings and Charon continues to eat memory.

  • Any news on this problem ? Is Strongswan working well for anyone ? Or all >= 2.2.3 users affected ?

    I would be happy to offer my help to find the culpit… Maybe we can open a Redmine ticket ?

    Thanks !

  • Exactly the same issue for me in production with a low constant traffic. We need to restart the service every week.

    I'm a bit afraid by this ticket from strongswan tracking :
    Since I clearly do not have a high traffic on that pfSense node, it seems there IS a memory leak somewhere in charon… But in any case, they're talking about the v5.3, so if it's our issue, upgrade the pfsense dependency won't fix it.

    I think we need a ticket, but where ? ... both places ?


  • It is not that issue, see this thread also.

    CMB said he was going to look into it, but haven't heard anything back yet. i think it might be something with the FreeBSD port of strongswan because it doesn't seem like linux users are having this issue. Strongswan does have 5.3.3 coming out soon, but i don't see anything in release related to this.

    Also from my testing this issue is in every 2.2.X release

  • Can confirm. Didin't check new threads before posting:

  • @MadBullet:

    I'm a bit afraid by this ticket from strongswan tracking :

    That's strictly related to their userland libipsec, which has no relevance to anything we use.

    I confirmed the general issue.

  • Hi,

    May I ask you for news about this really anoying problem ?

    Thanks and regards

  • It's being worked currently.

  • @djamp42:

    It's being worked currently.

    There's an update on that ticket. Next snapshot run should resolve the serious leaks.

Log in to reply