I think your rekey times are too fast and you create tunnels faster then we let them linger. Run "ipsec status" and I bet you are seeing thousands of tunnels waiting to get expired.
I do think we are keeping those around for far too long (an hour or so instead of like 20s or so) Paul Sent from my iPhone > On Feb 28, 2017, at 09:28, D. Hugh Redelmeier <[email protected]> wrote: > > | From: Erik Andersson <[email protected]> > > (This is a quick reply, not a careful one.) > > | I ran the tunnels for 6 days and recognized that the memory consumption of > | pluto was quite high. It started using around 8 MB and after six days it > used > | around 140 MB on both hosts. > > That's not good. > > | The leak detective reported the following when I shutdown pluto: > > | Feb 27 13:56:13: leak detective found 6 leaks, total size 192 > > Clearly this isn't the problem. It only accounts for 192 bytes. > n > | Is this "normal" memory consumption? 140 MB seems quite high to me but I'm > not > | sure. > > It should not be normal. > > | I ran another test with valgrind over night. The pluto process started with > 8 > | MB and rose to 25 MB. I noticed two places where a lot of memory were still > | reachable: > > NSS does its own memory allocation and is thus invisible to the leak > detective. Anything NSS-related is thus suspect. Think: keys and > related stuff. So you are probably on the right track. > > | ==2935== 5,095,216 bytes in 938 blocks are still reachable in loss record > 652 > > | ==2935== at 0x4C2B975: calloc (vg_replace_malloc.c:711) > | ==2935== by 0x6B3B351: PORT_ZAlloc_Util (in /usr/lib64/libnssutil3.so) > > | ==2935== by 0x16B228: symkey_from_symkey (crypt_symkey.c:283) > > > > | 7,202,832 bytes in 1,326 blocks are still reachable in loss record 653 of > 653 > > | ==2935== at 0x4C2B975: calloc (vg_replace_malloc.c:711) > | ==2935== by 0x6B3B351: PORT_ZAlloc_Util (in /usr/lib64/libnssutil3.so) > > | ==2935== by 0x16B356: chunk_from_symkey (crypt_symkey.c:319) > > 25MB - 8MB is bigger than 5MB + 7MB so there's more going on. > _______________________________________________ > Swan-dev mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan-dev _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
