Staff & Editor

Technical Tip: IKE daemon consumes high Memory after upgrade to v7.4.5

Forum|Forum|1 year ago
October 10, 2024
1 reply
2914 views

Description

This article describes an issue where the 'iked' daemon utilizes high memory after upgrading to v7.4.5.

Scope

FortiGate v7.4.5.

Solution

After upgrading to v7.4.5, a gradual increase in 'iked' memory usage is seen on both HUB and SPOKE FortiGates as shown below.

System time: Wed Sep 25 08:50:27 2024
usqpc01-wgn0011 # diag sys top-mem | grep iked
iked (202): 337949kB

System time: Wed Sep 25 09:02:07 2024
usqpc01-wgn0011 # diag sys top-mem | grep iked
iked (202): 342672kB

System time: Wed Sep 25 09:10:18 2024
usqpc01-wgn0011 # diag sys top-mem | grep iked
iked (202): 345762kB

System time: Wed Sep 25 09:18:37 2024
usqpc01-wgn0011 $ diag sys top-mem | grep iked
iked (202): 348364kB

System time: Wed Sep 25 09:29:35 2024
usqpc01-wgn0011 $ diag sys top-mem | grep iked
iked (202): 352514kB

The memory leak is triggered by any configuration update, including configuration updates not directly related to IPsec tunnels. iked memory use will increase in direct proportion to how frequently the device updates configuration.

The issue has been resolved in v7.4.6 and v7.6.1.

To report any new issues related to memory usage by the iked process, collect the following debug data before submitting a support request to the Fortinet Technical Support Team.

execute tac report
diagnose sys top-fd 50
fnsysctl ps aux
diagnose vpn ike counts
diagnose vpn ike errors
diagnose vpn ike stats
diagnose vpn ike status
diagnose vpn ipsec status
diagnose vpn tunnel list
diagnose sys cmdb info <----- Run a few times until 'last request time:' is changed.
fnsysctl ps