Hi,
I am running OpenBSD 4.0 with carp+isakmpd+sasyncd+pf on 166MHz Pentium
boards. Everything is working well. There are 6 locations, all clustered (2
redundant firewalls).
When I fail one cluster the other one takes over with some packet loss. I see
the carp is doing its thing. After the failover the new master starts using the
SAs from its partner until it establishes its own. For this delta time
everything is stable.
10-15 seconds later it starts establishing the main mode keys all at the same
time and I can see for 7-9 seconds the CPU utilized 100%. During that time the
communication is down again. After this new SAs are established everything goes
back to normal.
Since I already have the SAs, it is really no need to run the CPU demanding
D-H to a point where the CPU is fully used and the packet forwarding is
affected.
Is there a way to have the CPU demanding main mode done so that the packet
forwarding is not affected? I tried to run "nice isakmpd" but I still get the
timeouts when the new IKE and IPSEC SAs are established. I also tried
renice-ing process id 13 (crypto) with value -20, but I still get the same
result.
Thanks,
Catalin
---------------------------------
All new Yahoo! Mail -
---------------------------------
Get a sneak peak at messages with a handy reading pane.
