On 19.02.2018 12:28, Misak Khachatryan wrote:
> Hi,
> 
> # vmstat -m | egrep "sec|sah|pol"
>  inpcbpolicy   122     4K       -  4955796  32
>     secasvar 48558 12140K       -  1572045  256
>       sahead     3     1K       -       15  256
>  ipsecpolicy   256    64K       -  9911740  256
> ipsecrequest    12     2K       -       48  128
>   ipsec-misc 389632 12176K       - 12575976  16,32,64
>    ipsec-saq     3     1K       -       15  128
>    ipsec-reg     3     1K       -       12  32
>        histogram by message type:
>                getspi: 1533688
>                update: 1533640
>                add: 25
>                delete: 1
>                acquire: 1569975
>                register: 16
>                expire: 2968244
>                flush: 10
>                dump: 111982
>                x_promisc: 48
>                x_spdadd: 48
>                x_spddump: 60
>                x_spdflush: 7

This looks very strange. Are these from the same machine?
You said the system has only 3 tunnels. From this output I can say, that
you have too many SAs. Huge numbers for getspi, update, and acquire
messages means that you have security policy that produces many SAs.
Probably something wrong with your configs.

-- 
WBR, Andrey V. Elsukov

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to