Hi, I am running OpenBSD 4.0 with carp+isakmpd+sasyncd+pf on 166MHz Pentium boards. Everything is working well. There are 6 locations, all clustered (2 redundant firewalls). When I fail one cluster the other one takes over with some packet loss. I see the carp is doing its thing. After the failover the new master starts using the SAs from its partner until it establishes its own. For this delta time everything is stable. 10-15 seconds later it starts establishing the main mode keys all at the same time and I can see for 7-9 seconds the CPU utilized 100%. During that time the communication is down again. After this new SAs are established everything goes back to normal. Since I already have the SAs, it is really no need to run the CPU demanding D-H to a point where the CPU is fully used and the packet forwarding is affected. Is there a way to have the CPU demanding main mode done so that the packet forwarding is not affected? I tried to run "nice isakmpd" but I still get the timeouts when the new IKE and IPSEC SAs are established. I also tried renice-ing process id 13 (crypto) with value -20, but I still get the same result. Thanks, Catalin
--------------------------------- All new Yahoo! Mail - --------------------------------- Get a sneak peak at messages with a handy reading pane.