Page MenuHomeVyOS Platform
Create Task
Maniphest T4403

Charon hangs at 100% CPU when many routes are present
Open, Requires assessmentPublicBUG
Actions

Description

On a router with many routes, charon uses always 100% CPU. This results in packet loss, at least of tunneled packets.

Use case: A full table BGP router that is also endpoint for specific connections.

Route count on a router (which has this error):

vyos@rz2a-gw5# run show ip route summary 
Route Source         Routes               FIB  (vrf default)
connected            4                    4                    
ospf                 208                  204                  
ebgp                 0                    0                    
ibgp                 879186               879177               
------
Totals               879398               879385

While researching, i found out there appear many rt_netlink drops in the log, which i'd associate with the count of routes. And they change often as it's the nature of full BGP route tables. Charon itself logs nothing.

Details

Difficulty level
Unknown (require assessment)
Version
1.3.1-S1
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

wornet-mwo created this task.May 2 2022, 10:25 AM
pasik added a subscriber: pasik.May 2 2022, 11:45 AM
wornet-mwo added a comment.EditedMay 2 2022, 12:23 PM

Done some further research about rt_netlink and charon relationship. As described in the docs of Strongswan the option charon.process_route = no helps and is a good workaround if the destination is always reachable over a known specific interface (i think it can be an issue if wan load-balancing etc. is used).

For people maybe also facing this issue: Add a file inside /config containing charon.process_route = no and include it through set vpn ipsec include-ipsec-conf /config/<ipsec-additional-file>.conf. Add a file in /etc/strongswan.d/charon-additional.conf with contents:

# See https://phabricator.vyos.net/T4403
charon {
    process_route = no
}

and restart the ipsec daemon (maybe by running sudo systemctl restart ipsec if restart vpn does not work).

However, shouldn't be this done by VyOS per default or global option (like "disable-route-autoinstall")?