IPSec buffer error

avdvyver · October 29, 2019, 9:48am

Hi,

Using a VyOS AWS AMI I noticed the bellow error message when one IPSec tunnel carries around 25Mbps:

ERROR: "peer-x.x.x.x-tunnel-1" #328: sendto on eth0 to x.x.x.x:500 failed in ISAKMP notify. Errno 105: No buffer space available

I moved the traffic to the secondary VyOS router (same instance size as the primary) and the same error message appeared. The actual symptoms are packet loss and increased latency. The instance CPU is sitting at around 30%. Any thoughts on what type of limit is being hit here and how to get around it (configuration change etc.)?

Thank you

Dmitry · October 29, 2019, 10:15am

Hi, can you try increase some sysctl params and test again?

set system sysctl custom net.core.rmem_default value '425984'
set system sysctl custom net.ipv4.tcp_rmem value '4096 212992 6291456'

I tested ipsec recently with speed more 1Gbps without any sysctl modification and didn’t see any issues.

avdvyver · October 30, 2019, 12:17pm

Thanks - I have implemented and will get back to you with the results

Dmitry · December 8, 2019, 4:29pm

Hello @avdvyver, do you have some results?

avdvyver · December 9, 2019, 7:47am

Hi @Dmitry
I have not been able to reproduce the specific scenario. I do however think that that this issue was caused by a bug in the code on my side that was establishing millions of connections incorrectly though our VyOS routers. I think this might have caused too much load on conntrack. I have subsequently disabled conntrack completely as I don’t need it (I just had one scr NAT configured that added conntrack in iptables).
If this resurfaces, I will let you know but so far, so good.

system · December 11, 2019, 7:47am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.