[Openswan Users] High CPU usage (via ksoftirqd) when doing __xfrm4_find_bundle
paul at nohats.ca
Mon Mar 12 10:57:34 EDT 2012
On Mon, 12 Mar 2012, Roberto Suarez Soto wrote:
> we've got a load problem in one of our IPSec gateways, running
> openswan 1:2.6.28+dfsg-5+squeeze1 and kernel 2.6.32-5-686-bigmem (Debian
> Squeeze). The symptoms are high ksoftirqd CPU usage and network latency.
> Also, network load is not high, and we've already discarded problems with the
> After much searching and testing, we've seen that the culprit is the
> syscall __xfrm4_find_bundle, that occupies a big chunk of CPU when the
> problem arises. At first we thought the load was due to using 3DES
> extensively, and started migrating to AES-128; but today "perf top" shows
> clearly that the problem is __xfrm4_find_bundle.
> What is this syscall doing? Is there any way of making it ocuppy less
I've never heard of it. Your best bet would be to ask the kernel people,
probably Herbert Xu.
Alternatively, you can try using KLIPS instead of NETKEY/XFRM.
More information about the Users