[strongSwan-dev] strongswan 4.6.2: charon unstable/crashes when establishing a lot of connections

Munish Dayal munish.dayal at aricent.com
Fri Apr 13 16:12:46 CEST 2012 

Hi,

The load-tester plugin looks like uses a fixed set of credentials (mainly used for stress testing with some sample credentials).
In our test, we have thousands of terminals simulated in a Linux machine running charon, and each terminal or initiator is having a unique IP address with a different certificate.

Is there a way to fix the Charon crashes/unstability in this scenario, or is the load-tester plugin the only way to proceed ?

Thanks,
Munish

-----Original Message-----
From: Martin Willi [mailto:martin at strongswan.org]
Sent: 13 April 2012 15:14
To: Munish Dayal
Cc: dev at lists.strongswan.org
Subject: Re: [strongSwan-dev] strongswan 4.6.2: charon unstable/crashes when establishing a lot of connections

Hi,

> 2) On increasing the number of connections (entries in ipsec.conf
> file) to 4000, charon crashes and respawns randomly during tunnel
> creations:

> 3) On increasing the number of connections further to 10,000, Charon
> process crashes during loading of the ipsec.conf file itself
> (ipsec.conf file has 10,000 conn <xx> entries), with out of memory
> error:

> Apr 12 15:22:29 femtoslave3 charon: 71[CFG] received stroke: add
> connection 'host_5896'
> Apr 12 12:52:29 femtoslave3 out of memory [5196] Apr 12 12:52:29
> femtoslave3 out of memory [5196]

At least in the second case this looks like you are really running out of memory, and probably the OOM killer just kills charon?

> If there is any known limitation for charon to establish/initiate huge
> number of IPSec connections ?

Except from memory, probably not. But please be aware that the ipsec.conf configuration backend is not really designed to scale well with thousands of connection entries (you can handle several thousand responder tunnels just fine with a few ipsec.conf entries, though).

To test scalability, we use our load-tester plugin [1] that has written just for that purpose. It is somewhat limited when using custom credentials, but should be easy to extend for your purposes.

Regards
Martin

[1]http://wiki.strongswan.org/projects/strongswan/wiki/LoadTests





===============================================================================
Please refer to http://www.aricent.com/legal/email_disclaimer.html
for important disclosures regarding this electronic communication.
===============================================================================

More information about the Dev mailing list