<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12pt"><div><span>Hi All,</span></div><div><span></span> </div><span><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font color="#000000" face="Calibri">I am using strongswan 5.0.4 and load tester plugin. Upon further debugging found that, with 200k IPsec tunnels, although it can bring up all those tunnels successfully (with average setup rate 180), there are lots of retransmissions by IKE Initiator in charon.log. Upon debugging noticed that, under heavy load (200k), there are packet losses, i.e. the packets (IKE_SA_INIT/IKE_AUTH request messages) are received by kernel but not by Charon daemon (IKE Responder end). </font></span></div><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font color="#000000"
face="Calibri"></font></span> </div><font color="#000000" face="Times New Roman" size="3"></font><ol style="list-style-type: decimal; direction: ltr;"><li style="font-style: normal; font-weight: normal;"><div style="font-style: normal; font-weight: normal; margin-top: 0in; margin-bottom: 0pt;"><span style="line-height: 115%; font-size: 12pt;">Noticed the lost packets (i.e., packet receive errors in the Udp section) in <span> </span>#netstat –su, which kept on increasing with respect to time.</span></div></li><li style='font-family: "Calibri","sans-serif"; font-size: 12pt; font-style: normal; font-weight: normal;'><div style='font-family: "Calibri","sans-serif"; font-size: 11pt; font-style: normal; font-weight: normal; margin-top: 0in; margin-bottom: 0pt;'><span style="line-height: 115%; font-size: 12pt;">In #netstat –ua, looked at Recv-Q column of the isakmp connection and found that, the values high and don't drop to zero. If this is 0,
everything’s ok, if there are non-zero value, the process can’t handle the load.</span></div></li><li style='font-family: "Calibri","sans-serif"; font-size: 12pt; font-style: normal; font-weight: normal;'><div style='font-family: "Calibri","sans-serif"; font-size: 11pt; font-style: normal; font-weight: normal; margin-top: 0in; margin-bottom: 10pt;'><span style="line-height: 115%; font-size: 12pt;">Read the file #cat /proc/net/udp, column rx_queue. I noticed the value different than zero in that column.</span></div></li></ol><font color="#000000" face="Times New Roman" size="3"></font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font color="#000000" face="Calibri">From the above statistics, It just means that Charon daemon is not reading the socket fast enough. The average arrival rate regularly causes a backlog in the receive queue. The maximum number of queued received data depends on
/proc/sys/net/ipv4/udp_mem and /proc/sys/net/ipv4/udp_rmem_<wbr>min. </font></span></div><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font color="#000000" face="Calibri">Should I tweak these parameters to achieve zero packet loss? Also how can I employ the Charon daemon to do load balancing across multiple threads ?</font></span></div><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font color="#000000" face="Calibri"></font></span> </div><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">Regards,</font></span></div><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">Chinmaya</font> </span></div></span><div> </div><div class="yahoo_quoted" style="display: block;"> <br> <br> <div style="font-family: HelveticaNeue, Helvetica Neue,
Helvetica, Arial, Lucida Grande, sans-serif; font-size: 12pt;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 12pt;"> <div dir="ltr"> <font face="Arial" size="2"> On Monday, March 10, 2014 4:18 PM, Chinmaya Dwibedy <ckdwibedy@yahoo.com> wrote:<br> </font> </div> <div class="y_msg_container"><div id="yiv2610284581"><div><div style="color: rgb(0, 0, 0); font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 12pt; background-color: rgb(255, 255, 255);"><div><font face="Times New Roman">
</font></div><div style="margin: 0in 0in 10pt;"><font face="Calibri">Hi All,</font></div><div><font face="Times New Roman">
</font></div><div style="margin: 0in 0in 10pt;"><font face="Calibri">I am running with 200k IPsec tunnels. Although it can bring
up all those tunnels successfully, I find, there are lots of retransmissions in
charon.log. </font></div><div><font face="Times New Roman">
</font></div><div style="margin: 0in 0in 10pt;"><font face="Calibri">Jan 1 00:10:29 56[IKE] retransmit 1 of request with message
ID 0 (IKE Initiator)</font></div><div><font face="Times New Roman">
</font></div><div style="margin: 0in 0in 10pt;"><font face="Calibri">Jan 1 00:10:45 49[IKE] received retransmit of request with
ID 0, retransmitting response (IKE Responder)</font></div><div><font face="Times New Roman">
</font></div><div style="margin: 0in 0in 10pt;"><font face="Calibri">I know, these are certainly considered to be bad.<span> </span>Checked the CPU usage of Charon daemon at IKE
responder end (through top –p <PID of Charon daemon>) and found to be
less than 10% (mostly). Upon profiling it shows that, most of the time it
spends in pthread_mutex_lock ().<span> </span>Note, I
have set the retransmit_timeout and retransmit_tries to 60 seconds and 30 times
respectively, which is a quite bug. Can anyone please guide/suggest what might be
the issue?</font></div><div><font face="Times New Roman">
</font></div><div style="margin: 0in 0in 10pt;"><font face="Calibri"> </font></div><div><font face="Times New Roman">
</font></div><div style="margin: 0in 0in 10pt;"><font face="Calibri">Regards,</font></div><div><font face="Times New Roman">
</font></div><div style="margin: 0in 0in 10pt;"><font face="Calibri">Chinmaya</font></div><div><font face="Times New Roman">
</font></div></div></div></div><br><br></div> </div> </div> </div> </div></body></html>