Bug #10687

IPsec / CESA memory issue

Added by Graham Collinson about 1 month ago. Updated 17 days ago.

Hardware / Drivers
Target version:
Start date:
Due date:
% Done:


Estimated time:
Affected Version:
Affected Architecture:


We have approximately 30 ipsec tunnels on a netgate SG-3100. We've been getting errors that stop tunnels from coming up and require a reboot to recover.

Found that we're getting this kind of error message at the time of the problems:

charon: 12[KNL] <con13000|200> unable to add SAD entry with SPI cb36cc85: Cannot allocate memory (12)

turned on ipsec debugging and find this message when the memory problem happens:

kernel: key_setsaval: unable to initialize SA type 3.

I've reported this bug to freebsd as
My investigation of the ipsec code appears to have found that cesa is limited to 64 active sessions at a time and will return enomem when it runs out of sessions.
All 11 releases of freebsd appear to have this limit. The 12 releases appear to have different memory management and do not have this problem.

we have changed net.inet.ipsec.crypto_support to the software driver only value of 33554432 and are no longer seeing problems with vpns.

discussion on the problem in the forum:


#1 Updated by Jim Pingle about 1 month ago

  • Subject changed from ipsec / cesa memory issue to IPsec / CESA memory issue
  • Category set to Hardware / Drivers
  • Affected Architecture deleted (amd64)

If the problem has already been addressed on 12.x there may be nothing more we need to do here. Needs confirmed on a 2.5.0 snapshot.

#2 Updated by Luiz Souza 17 days ago

  • Assignee set to Luiz Souza

#3 Updated by Luiz Souza 17 days ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

Fix merged to 11 based branches.

As mentioned, this is not necessary for 2.5.

Marking as resolved.

Also available in: Atom PDF