Hi,
   
  I am running OpenBSD 4.0 with carp+isakmpd+sasyncd+pf on 166MHz Pentium 
boards. Everything is working well. There are 6 locations, all clustered (2 
redundant firewalls).
   
  When I fail one cluster the other one takes over with some packet loss. I see 
the carp is doing its thing. After the failover the new master starts using the 
SAs from its partner until it establishes its own. For this delta time 
everything is stable.
10-15 seconds later it starts establishing the main mode keys all at the same 
time and I can see for 7-9 seconds the CPU utilized 100%. During that time the 
communication is down again. After this new SAs are established everything goes 
back to normal.
   
  Since I already have the SAs, it is really no need to run the CPU demanding 
D-H to a point where the CPU is fully used and the packet forwarding is 
affected. 
   
  Is there a way to have the CPU demanding main mode done so that the packet 
forwarding is not affected? I tried to run "nice isakmpd" but I still get the 
timeouts when the new IKE and IPSEC SAs are established. I also tried 
renice-ing process id 13 (crypto) with value -20, but I still get the same 
result.
   
  Thanks,
Catalin

       
---------------------------------
 All new Yahoo! Mail - 
---------------------------------
Get a sneak peak at messages with a handy reading pane.

Reply via email to