On Sat, Nov 25, 2006 at 02:29:46PM +0000, Brian Candler wrote:
> So now I need to establish whether those original 1,000 sent packets were
> actually arriving at the Cisco or not, which perhaps careful use of
> interface counters might reveal, or else I need to dig out a switch with
> port mirroring.
Interface counters are inconclusive. Making a measurement 3 seconds after I
start isakmpd, I get
OpenBSD: [netstat -nI rl0, taking the difference]
Out: 1161
In: 162
Cisco: [clear counters g0/0; wait 3 secs; show int g0/0]
763 packets input, 124762 bytes, 40 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 2 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
161 packets output, 35536 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
So it looks like some packets have been lost on reception, but it's not
clear whether all the packets did make it out of the OpenBSD box.
However, with "debug crypto isakmp errors" enabled on the Cisco, I get lots
of messages like this:
*Aug 14 12:20:28.402: ISAKMP:(13124): starving for SPIs...
*Aug 14 12:20:28.410: ISAKMP:(13124): starving for SPIs...
*Aug 14 12:20:28.418: ISAKMP:(13124): starving for SPIs...
*Aug 14 12:20:28.422: ISAKMP:(13124): starving for SPIs...
*Aug 14 12:20:28.422: ISAKMP:(13124): starving for SPIs...
Google doesn't give any hits for this message. But I guess the Cisco can
only allocate SPIs so fast, and that's probably the main thing throttling
this.
Anyway, the box I'm testing against has to be shipped out on Monday, but if
I manage to find out anything more I'll let you know.
Regards,
Brian.
