> Furthermore, I am afraid we actually queue a lot of jobs (more than one) when > the counter is decreased by one. > I think it may be the root problem?
Yes, until the next IKE_SA is checked in packets will be processed. > The only visible effect is to set a job limit, but since it is global we > could prevent high priority jobs to run properly. It's not a limit on the number of jobs, it's a limit that causes IKE_SA_INITs to get dropped when the number of jobs exceeds the configured number. Regards, Tobias