> On 20 Aug 2015, at 16:45, Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com> wrote: > I could not figure how to reproduce that. My main process remained > unchanged after reloads using the sample config and certificate auth. > Could you send me some steps to be able to reproduce the issue? I use the config below, then use occtl to reload. Issue the reload command a few times and I?ll see a significant increase in memory usage. It?s not necessary to have clients connect or disconnect. You can do the reloads immediately after starting ocserv. config: auth = "certificate" acct = "radius[config=/etc/radiusclient/radiusclient.conf,nas-identifier=X.X.X.X]" listen-host = X.X.X.X max-clients = 1024 rate-limit-ms = 100 max-same-clients = 2 tcp-port = 8000 udp-port = 8000 keepalive = 32400 dpd = 29 mobile-dpd = 29 try-mtu-discovery = false server-cert = /etc/ipsec.d/certs/X.pem server-key = /etc/ipsec.d/private/X.pem ca-cert = /etc/ipsec.d/cacerts/X.pem crl = /etc/ipsec.d/crls/X.crl auth-timeout = 1800 cookie-timeout = 604800 idle-timeout = 86400 mobile-idle-timeout = 86400 deny-roaming = false rekey-time = 172800 rekey-method = ssl use-utmp = true use-occtl = true pid-file = /var/run/ocserv-cert-X.pid chroot-dir = / occtl-socket-file = /var/run/occtl-cert-X.socket socket-file = /var/run/ocserv-cert-X-socket run-as-user = nobody run-as-group = daemon net-priority = 6 device = tun_oc default-domain = X.com ipv4-network = 10.251.47.0 ipv4-netmask = 255.255.255.0 ipv6-network X::/112 dns = 10.255.0.1 dns = 10.255.0.1 mtu = 1360 predictable-ips = true output-buffer = 500 route-add-cmd = "ip route add %R dev %D" route-del-cmd = "ip route delete %R dev %D" config-per-user = /etc/ocserv/config-per-user/ cisco-client-compat = true cert-user-oid = 2.5.4.3 connect-script = /etc/ocserv/connect-X.sh disconnect-script = /etc/ocserv/disconnect-X.sh compression = true no-compress-limit = 256 > btw. did you have any issues with the "enable-auth certificate" > option? Its purpose was to eliminate the need for two servers. No issues. Just haven?t shut down the old process on all servers yet. What?s interesting to note is that the radius config with enable-auth=?certificate? added does not have the memory issue. Niels
