ocserv memory increase on occtl reload

Niels Peen niels at peen.ch
Thu Aug 20 10:16:20 PDT 2015 

> On 20 Aug 2015, at 16:45, Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com> wrote:

> I could not figure how to reproduce that. My main process remained
> unchanged after reloads using the sample config and certificate auth.
> Could you send me some steps to be able to reproduce the issue?

I use the config below, then use occtl to reload. Issue the reload command a few times and I’ll see a significant increase in memory usage.

It’s not necessary to have clients connect or disconnect. You can do the reloads immediately after starting ocserv.

config:

auth = "certificate"
acct = "radius[config=/etc/radiusclient/radiusclient.conf,nas-identifier=X.X.X.X]"
listen-host = X.X.X.X
max-clients = 1024
rate-limit-ms = 100
max-same-clients = 2
tcp-port = 8000
udp-port = 8000
keepalive = 32400
dpd = 29
mobile-dpd = 29
try-mtu-discovery = false
server-cert = /etc/ipsec.d/certs/X.pem
server-key = /etc/ipsec.d/private/X.pem
ca-cert = /etc/ipsec.d/cacerts/X.pem
crl = /etc/ipsec.d/crls/X.crl
auth-timeout = 1800
cookie-timeout = 604800
idle-timeout = 86400
mobile-idle-timeout = 86400
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-utmp = true
use-occtl = true
pid-file = /var/run/ocserv-cert-X.pid
chroot-dir = /
occtl-socket-file = /var/run/occtl-cert-X.socket
socket-file = /var/run/ocserv-cert-X-socket
run-as-user = nobody
run-as-group = daemon
net-priority = 6
device = tun_oc
default-domain = X.com
ipv4-network = 10.251.47.0
ipv4-netmask = 255.255.255.0
ipv6-network X::/112
dns = 10.255.0.1
dns = 10.255.0.1
mtu = 1360
predictable-ips = true
output-buffer = 500
route-add-cmd = "ip route add %R dev %D"
route-del-cmd = "ip route delete %R dev %D"
config-per-user = /etc/ocserv/config-per-user/
cisco-client-compat = true
cert-user-oid = 2.5.4.3
connect-script    = /etc/ocserv/connect-X.sh
disconnect-script = /etc/ocserv/disconnect-X.sh
compression = true
no-compress-limit = 256

> btw. did you have any issues with the "enable-auth certificate"
> option? Its purpose was to eliminate the need for two servers.

No issues. Just haven’t shut down the old process on all servers yet.

What’s interesting to note is that the radius config with enable-auth=“certificate” added does not have the memory issue.

Niels

More information about the openconnect-devel mailing list