Hi,<div><br></div><div>I coming back on the problem, it's append again yesturday</div><div>Our harware configuration is :</div><div>Intel(R) Core(TM)2 Duo CPU E6750 @ 2.66GHz with 2G DDR2 ram</div><div><br></div><div>
In my log jute when the cpu usage increace I found this:</div><div><br></div><div><div>Oct 3 15:05:42 srv-vpn1 pluto[19667]: "vpn-name1" #180426: max number of retransmissions (2) reached STATE_QUICK_I1</div><div>
Oct 3 15:05:42 srv-vpn1 pluto[19667]: "vpn-name1" #180426: starting keying attempt 8 of an unlimited number</div><div>Oct 3 15:05:42 srv-vpn1 pluto[19667]: "vpn-name1" #191712: initiating Quick Mode PSK+ENCRYPT+TUNNEL+IKEv2ALLOW to replace #180426 {using isakmp#101770 msgid:b199c684 proposal=NULL(11)_000-MD5(1)_128 pfsgroup=no-pfs}</div>
<div>Oct 3 15:05:42 srv-vpn1 pluto[19667]: "vpn-name1" #180425: max number of retransmissions (2) reached STATE_QUICK_I1</div><div>Oct 3 15:05:42 srv-vpn1 pluto[19667]: "vpn-name1" #180425: starting keying attempt 8 of an unlimited number</div>
<div>Oct 3 15:05:42 srv-vpn1 pluto[19667]: "vpn-name1" #191713: initiating Quick Mode PSK+ENCRYPT+TUNNEL+IKEv2ALLOW to replace #180425 {using isakmp#101770 msgid:fde37812 proposal=NULL(11)_000-MD5(1)_128 pfsgroup=no-pfs}</div>
<div>Oct 3 15:05:42 srv-vpn1 pluto[19667]: "vpn-name1" #180424: max number of retransmissions (2) reached STATE_QUICK_I1</div><div>Oct 3 15:05:42 srv-vpn1 pluto[19667]: "vpn-name1" #180424: starting keying attempt 8 of an unlimited number</div>
<div>Oct 3 15:05:42 srv-vpn1 pluto[19667]: "vpn-name1" #191714: initiating Quick Mode PSK+ENCRYPT+TUNNEL+IKEv2ALLOW to replace #180424 {using isakmp#101770 msgid:fdf0da3c proposal=NULL(11)_000-MD5(1)_128 pfsgroup=no-pfs}</div>
<div>Oct 3 15:05:42 srv-vpn1 pluto[19667]: "vpn-name1" #180423: max number of retransmissions (2) reached STATE_QUICK_I1</div><div>Oct 3 15:05:42 srv-vpn1 pluto[19667]: "vpn-name1" #180423: starting keying attempt 8 of an unlimited number</div>
<div>Oct 3 15:05:42 srv-vpn1 pluto[19667]: "vpn-name1" #191715: initiating Quick Mode PSK+ENCRYPT+TUNNEL+IKEv2ALLOW to replace #180423 {using isakmp#101770 msgid:53dd5572 proposal=NULL(11)_000-MD5(1)_128 pfsgroup=no-pfs}</div>
<div>Oct 3 15:05:42 srv-vpn1 pluto[19667]: "vpn-name1" #180422: max number of retransmissions (2) reached STATE_QUICK_I1</div><div>Oct 3 15:05:42 srv-vpn1 pluto[19667]: "vpn-name1" #180422: starting keying attempt 8 of an unlimited number</div>
<div>Oct 3 15:05:42 srv-vpn1 pluto[19667]: "vpn-name1" #191716: initiating Quick Mode PSK+ENCRYPT+TUNNEL+IKEv2ALLOW to replace #180422 {using isakmp#101770 msgid:dd20a66a proposal=NULL(11)_000-MD5(1)_128 pfsgroup=no-pfs}</div>
<div>Oct 3 15:05:42 srv-vpn1 pluto[19667]: "vpn-name1" #180421: max number of retransmissions (2) reached STATE_QUICK_I1</div><div>Oct 3 15:05:42 srv-vpn1 pluto[19667]: "vpn-name1" #180421: starting keying attempt 8 of an unlimited number</div>
<div>Oct 3 15:05:42 srv-vpn1 pluto[19667]: "vpn-name1" #191717: initiating Quick Mode PSK+ENCRYPT+TUNNEL+IKEv2ALLOW to replace #180421 {using isakmp#101770 msgid:32c81d69 proposal=NULL(11)_000-MD5(1)_128 pfsgroup=no-pfs}</div>
<div>Oct 3 15:05:42 srv-vpn1 pluto[19667]: "vpn-name1" #180420: max number of retransmissions (2) reached STATE_QUICK_I1</div><div>Oct 3 15:05:42 srv-vpn1 pluto[19667]: "vpn-name1" #180420: starting keying attempt 8 of an unlimited number</div>
<div>Oct 3 15:05:42 srv-vpn1 pluto[19667]: "vpn-name1" #191718: initiating Quick Mode PSK+ENCRYPT+TUNNEL+IKEv2ALLOW to replace #180420 {using isakmp#101770 msgid:9ef0e853 proposal=NULL(11)_000-MD5(1)_128 pfsgroup=no-pfs}</div>
<div>Oct 3 15:05:42 srv-vpn1 pluto[19667]: "vpn-name1" #180419: max number of retransmissions (2) reached STATE_QUICK_I1</div><div>Oct 3 15:05:42 srv-vpn1 pluto[19667]: "vpn-name1" #180419: starting keying attempt 8 of an unlimited number</div>
<div>Oct 3 15:05:42 srv-vpn1 pluto[19667]: "vpn-name1" #191719: initiating Quick Mode PSK+ENCRYPT+TUNNEL+IKEv2ALLOW to replace #180419 {using isakmp#101770 msgid:81d732ea proposal=NULL(11)_000-MD5(1)_128 pfsgroup=no-pfs}</div>
<div>Oct 3 15:05:42 srv-vpn1 pluto[19667]: "vpn-name1" #180498: max number of retransmissions (2) reached STATE_QUICK_I1</div><div>Oct 3 15:05:42 srv-vpn1 pluto[19667]: "vpn-name1" #180498: starting keying attempt 8 of an unlimited number</div>
<div>Oct 3 15:05:42 srv-vpn1 pluto[19667]: "vpn-name1" #191641: initiating Quick Mode PSK+ENCRYPT+TUNNEL+IKEv2ALLOW to replace #180498 {using isakmp#101770 msgid:a6efd1fc proposal=NULL(11)_000-MD5(1)_128 pfsgroup=no-pfs}</div>
<div>Oct 3 15:05:42 srv-vpn1 pluto[19667]: ERROR: "vpn-name1" #191641: recvmsg(,, MSG_ERRQUEUE) on eth1:0 failed in comm_handle. Errno 11: Resource temporarily unavailable</div><div>Oct 3 15:05:42 srv-vpn1 pluto[19667]: ERROR: "vpn-name1" #191641: sendto on eth1:0 to <a href="http://172.17.0.137:500">172.17.0.137:500</a> failed in quick_outI1. Errno 111: Connection refused</div>
<div>.....</div><div>Oct 3 15:05:43 srv-vpn1 pluto[19667]: "vpn-name2" #180593: max number of retransmissions (2) reached STATE_MAIN_R1</div><div>Oct 3 15:05:43 srv-vpn1 pluto[19667]: "vpn-name3" #180590: max number of retransmissions (2) reached STATE_MAIN_R1</div>
<div>Oct 3 15:05:43 srv-vpn1 pluto[19667]: "vpn-name4" #180588: max number of retransmissions (2) reached STATE_MAIN_R1</div><div>Oct 3 15:05:43 srv-vpn1 pluto[19667]: "vpn-name5" #180587: max number of retransmissions (2) reached STATE_MAIN_R1</div>
<div>Oct 3 15:05:43 srv-vpn1 pluto[19667]: "vpn-name6" #180586: max number of retransmissions (2) reached STATE_MAIN_R1</div><div>Oct 3 15:05:43 srv-vpn1 pluto[19667]: "vpn-name6" #180585: max number of retransmissions (2) reached STATE_MAIN_R1</div>
<div>Oct 3 15:05:43 srv-vpn1 pluto[19667]: "vpn-name7" #180584: max number of retransmissions (2) reached STATE_MAIN_R1</div><div>Oct 3 15:05:43 srv-vpn1 pluto[19667]: "vpn-name8" #180582: max number of retransmissions (2) reached STATE_MAIN_R1</div>
<div>Oct 3 15:05:43 srv-vpn1 pluto[19667]: "vpn-name9" #180581: max number of retransmissions (2) reached STATE_MAIN_R1</div><div>Oct 3 15:05:43 srv-vpn1 pluto[19667]: "vpn-name4" #180580: max number of retransmissions (2) reached STATE_MAIN_R1</div>
<div>Oct 3 15:05:43 srv-vpn1 pluto[19667]: "vpn-name10" #180579: max number of retransmissions (2) reached STATE_MAIN_R1</div><div>Oct 3 15:05:43 srv-vpn1 pluto[19667]: "vpn-name2" #180578: max number of retransmissions (2) reached STATE_MAIN_R1</div>
<div>Oct 3 15:05:43 srv-vpn1 pluto[19667]: "vpn-name4" #180577: max number of retransmissions (2) reached STATE_MAIN_R1</div><div>Oct 3 15:05:43 srv-vpn1 pluto[19667]: "vpn-name5" #180575: max number of retransmissions (2) reached STATE_MAIN_R1</div>
<div>Oct 3 15:05:43 srv-vpn1 pluto[19667]: "vpn-name11" #180574: max number of retransmissions (2) reached STATE_MAIN_R1</div><div>Oct 3 15:05:43 srv-vpn1 pluto[19667]: "vpn-name12" #180573: max number of retransmissions (2) reached STATE_MAIN_R1</div>
<div>Oct 3 15:05:43 srv-vpn1 pluto[19667]: "vpn-name2" #180572: max number of retransmissions (2) reached STATE_MAIN_R1</div><div>Oct 3 15:05:43 srv-vpn1 pluto[19667]: "vpn-name13" #180571: max number of retransmissions (2) reached STATE_MAIN_R1</div>
<div>Oct 3 15:05:43 srv-vpn1 pluto[19667]: "vpn-name7" #180570: max number of retransmissions (2) reached STATE_MAIN_R1</div><div>Oct 3 15:05:43 srv-vpn1 pluto[19667]: "vpn-name14" #180569: max number of retransmissions (2) reached STATE_MAIN_R1</div>
<div>Oct 3 15:05:43 srv-vpn1 pluto[19667]: "vpn-name8" #180568: max number of retransmissions (2) reached STATE_MAIN_R1</div><div>Oct 3 15:05:43 srv-vpn1 pluto[19667]: "vpn-name9" #180567: max number of retransmissions (2) reached STATE_MAIN_R1</div>
<div>Oct 3 15:05:43 srv-vpn1 pluto[19667]: "vpn-name2" #180566: max number of retransmissions (2) reached STATE_MAIN_R1</div><div>Oct 3 15:05:43 srv-vpn1 pluto[19667]: "vpn-name5" #180565: max number of retransmissions (2) reached STATE_MAIN_R1</div>
<div>Oct 3 15:05:43 srv-vpn1 pluto[19667]: "vpn-name10" #180563: max number of retransmissions (2) reached STATE_MAIN_R1</div><div>Oct 3 15:05:43 srv-vpn1 pluto[19667]: "vpn-name5" #180562: max number of retransmissions (2) reached STATE_MAIN_R1</div>
<div>Oct 3 15:05:43 srv-vpn1 pluto[19667]: "vpn-name7" #180561: max number of retransmissions (2) reached STATE_MAIN_R1</div><div>Oct 3 15:05:43 srv-vpn1 pluto[19667]: "vpn-name8" #180559: max number of retransmissions (2) reached STATE_MAIN_R1</div>
</div><div><div><br></div><div>The vpn-name1 log appeard thousand of time in near one second.</div><div><br></div><div>After the "max number of retransmissions" series, it's look to be more quiet.</div><div>
<br></div><div>The conf file:</div><div><br></div><div><div>conn vpn-name1</div><div> auth=esp</div><div> ike=aes128-md5-modp1024</div><div> authby=secret</div><div> auto=route</div><div> compress=no</div>
<div> pfs=no</div><div> type=tunnel</div><div> keylife=24h</div><div> esp=null-md5</div><div> left=XXX.XXX.XXX.XXX</div><div> leftid=XXX.XXX.XXX.XXX</div><div> leftsubnet=YYY.YYY.1.YYY/24</div>
<div> right=ZZZ.ZZZ.ZZZ.ZZZ</div><div> rightid=ZZZ.ZZZ.ZZZ.ZZZ</div><div> rightsubnet=YYY.YYY.2.YYY/24</div></div><div><br></div><div>Any idear ?</div><div><br></div><div>Reagards</div><div><br></div>
<div>Benoit Schneider</div><div><br></div><div class="gmail_quote">2011/9/27 SCHNEIDER Benoit <span dir="ltr"><<a href="mailto:ton.ami.totoro@gmail.com">ton.ami.totoro@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Hi,<div><br></div><div>We don't use "plutodebug=all".</div><div><br></div><div>It's realy look than pluto make a list by trying to up a tunnel where the site is down, and then when the site is up again, he try to up all the list.</div>
<div><br></div><div>Regards</div><div><br></div><font color="#888888"><div>Benoit Schneider</div></font><div><div></div><div class="h5"><div><br><div class="gmail_quote">2011/9/26 Paul Wouters <span dir="ltr"><<a href="mailto:paul@xelerance.com" target="_blank">paul@xelerance.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>On Mon, 26 Sep 2011, Benoit Schneider wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Thanks for your answer.<br>
But usually the CPU usage is under 1-2% It's just when pluto try to up again some VPN (and after we found many phase2 on those site) it's not all the time.<br>
I will check tomorrow for the plutodebug=all<br>
But there is no way to limit phase2 number on a site ?<br>
</blockquote>
<br></div>
There should only be 1 incomplete phase2 per conn<br><font color="#888888">
<br>
Paul<br>
</font></blockquote></div></div></div></div></blockquote></div><br>
</div>