[Swan-dev] Pluto memory consumption

Paul Wouters paul at nohats.ca
Tue Feb 28 14:34:55 UTC 2017 

I think your rekey times are too fast and you create tunnels faster then we let them linger. Run "ipsec status" and I bet you are seeing thousands of tunnels waiting to get expired.

I do think we are keeping those around for far too long (an hour or so instead of like 20s or so)

Paul

Sent from my iPhone

> On Feb 28, 2017, at 09:28, D. Hugh Redelmeier <hugh at mimosa.com> wrote:
> 
> | From: Erik Andersson <erik at ingate.com>
> 
> (This is a quick reply, not a careful one.)
> 
> | I ran the tunnels for 6 days and recognized that the memory consumption of
> | pluto was quite high. It started using around 8 MB and after six days it used
> | around 140 MB on both hosts.
> 
> That's not good.
> 
> | The leak detective reported the following when I shutdown pluto:
> 
> | Feb 27 13:56:13: leak detective found 6 leaks, total size 192
> 
> Clearly this isn't the problem.  It only accounts for 192 bytes.
> n
> | Is this "normal" memory consumption? 140 MB seems quite high to me but I'm not
> | sure.
> 
> It should not be normal.
> 
> | I ran another test with valgrind over night. The pluto process started with 8
> | MB and rose to 25 MB. I noticed two places where a lot of memory were still
> | reachable:
> 
> NSS does its own memory allocation and is thus invisible to the leak
> detective.  Anything NSS-related is thus suspect.  Think: keys and
> related stuff.  So you are probably on the right track.
> 
> | ==2935== 5,095,216 bytes in 938 blocks are still reachable in loss record 652
> 
> | ==2935==    at 0x4C2B975: calloc (vg_replace_malloc.c:711)
> | ==2935==    by 0x6B3B351: PORT_ZAlloc_Util (in /usr/lib64/libnssutil3.so)
> 
> | ==2935==    by 0x16B228: symkey_from_symkey (crypt_symkey.c:283)
> 
> 
> 
> | 7,202,832 bytes in 1,326 blocks are still reachable in loss record 653 of 653
> 
> | ==2935==    at 0x4C2B975: calloc (vg_replace_malloc.c:711)
> | ==2935==    by 0x6B3B351: PORT_ZAlloc_Util (in /usr/lib64/libnssutil3.so)
> 
> | ==2935==    by 0x16B356: chunk_from_symkey (crypt_symkey.c:319)
> 
> 25MB - 8MB is bigger than 5MB + 7MB so there's more going on.
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev

More information about the Swan-dev mailing list