[Openswan Users] High CPU usage (via ksoftirqd) when doing __xfrm4_find_bundle
Paul Wouters
paul at nohats.ca
Mon Mar 12 10:57:34 EDT 2012
On Mon, 12 Mar 2012, Roberto Suarez Soto wrote:
> we've got a load problem in one of our IPSec gateways, running
> openswan 1:2.6.28+dfsg-5+squeeze1 and kernel 2.6.32-5-686-bigmem (Debian
> Squeeze). The symptoms are high ksoftirqd CPU usage and network latency.
> Also, network load is not high, and we've already discarded problems with the
> NICs.
>
> After much searching and testing, we've seen that the culprit is the
> syscall __xfrm4_find_bundle, that occupies a big chunk of CPU when the
> problem arises. At first we thought the load was due to using 3DES
> extensively, and started migrating to AES-128; but today "perf top" shows
> clearly that the problem is __xfrm4_find_bundle.
>
> What is this syscall doing? Is there any way of making it ocuppy less
> CPU?
I've never heard of it. Your best bet would be to ask the kernel people,
probably Herbert Xu.
Alternatively, you can try using KLIPS instead of NETKEY/XFRM.
Paul
More information about the Users
mailing list