[Openswan dev] Small optimisation for lots of interfaces
Paul Wouters
paul at xelerance.com
Thu Nov 24 19:45:39 CET 2005
On Thu, 24 Nov 2005, David McCullough wrote:
> Using simple tunnels (ie., same two hosts, same secret, lots of networks)
> I have seen the following pluto silently exit sometime between 1000 and
> 2000 tunnels. I cannot remember f I saw it crash or not in this
> scenario. Each tunnel was exercised as it came up to enure data would
> pass through ok.
I would really like to see the core files of pluto dying in such case.
We did not observe this behaviour when we did testing with thousands of
tunnels over a year and a half ago when running against an (Ixia?) IPsec
testbox.
> Some of the problems we have seen are were related to dead peer code.
> Once you get a significant tunnel count you need to backoff the DPD
> timers quite a bit or pluto starts pulling tunnels down.
If you are congested, and are dropping DPD packets, then sure this will
happen. That's why some call it "make deads". If your bandwidth is
congested, and you are using DPD, then you will lose tunnels. The fix is
to buy more bandwidth, or disable DPD. Or if you can, somehow give DPD
packets a higher priority then other packets, but I'm not sure if you
can use QoS there.
Paul
More information about the Dev
mailing list