Hi neale, Currently there is only one way detecting whether the sa is in using by checking sa counter. But if the ike is timeout and is rekeying the sa which first used by ipsec4-input-feature, the sa may has been deleted in esp_encrypt node. I rewrite the ike plugin, in my test case, there are 10k ike sessions with 20k sa in ipsec layer, and the ike timeout is 30s sa rekey timeout is 10s. The esp_encrypt node crashed frequently.
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#22209): https://lists.fd.io/g/vpp-dev/message/22209 Mute This Topic: https://lists.fd.io/mt/95086868/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-