[Openswan Users] High CPU usage (via ksoftirqd) when doing __xfrm4_find_bundle

Paul Wouters paul at nohats.ca
Mon Mar 12 10:57:34 EDT 2012

On Mon, 12 Mar 2012, Roberto Suarez Soto wrote:

> 	we've got a load problem in one of our IPSec gateways, running 
> openswan 1:2.6.28+dfsg-5+squeeze1 and kernel 2.6.32-5-686-bigmem (Debian 
> Squeeze). The symptoms are high ksoftirqd CPU usage and network latency. 
> Also, network load is not high, and we've already discarded problems with the 
> NICs.
> 	After much searching and testing, we've seen that the culprit is the 
> syscall __xfrm4_find_bundle, that occupies a big chunk of CPU when the 
> problem arises. At first we thought the load was due to using 3DES 
> extensively, and started migrating to AES-128; but today "perf top" shows 
> clearly that the problem is __xfrm4_find_bundle.
> 	What is this syscall doing? Is there any way of making it ocuppy less 
> CPU?

I've never heard of it. Your best bet would be to ask the kernel people,
probably Herbert Xu.

Alternatively, you can try using KLIPS instead of NETKEY/XFRM.


More information about the Users mailing list