|
After upgrading to v7.4.5, a gradual increase in 'iked' memory usage is seen on both HUB and SPOKE FortiGates as shown below.
System time: Wed Sep 25 08:50:27 2024
usqpc01-wgn0011 # diag sys top-mem | grep iked
iked (202): 337949kB
System time: Wed Sep 25 09:02:07 2024
usqpc01-wgn0011 # diag sys top-mem | grep iked
iked (202): 342672kB
System time: Wed Sep 25 09:10:18 2024
usqpc01-wgn0011 # diag sys top-mem | grep iked
iked (202): 345762kB
System time: Wed Sep 25 09:18:37 2024
usqpc01-wgn0011 $ diag sys top-mem | grep iked
iked (202): 348364kB
System time: Wed Sep 25 09:29:35 2024
usqpc01-wgn0011 $ diag sys top-mem | grep iked
iked (202): 352514kB
The memory leak is triggered by any configuration update, including configuration updates not directly related to IPsec tunnels. iked memory use will increase in direct proportion to how frequently the device updates configuration. The issue has been resolved in v7.4.6 (scheduled for release between December 10 and December 12, 2024) and v7.6.1 (scheduled for release between November 19 and November 21, 2024).
Note that these timelines for firmware release are estimates and may be subject to change. v7.2.x is not affected by this issue.
To report any new issues related to memory usage by the iked process, collect the following debug data before submitting a support request to the Fortinet Technical Support Team.
execute tac report
diagnose sys top-fd 50
fnsysctl ps aux
diag vpn ike counts
diag vpn ike errors
diag vpn ike stats
diag vpn ike status
diag vpn ipsec status
diag vpn tunnel list
diag sys cmdb info <----- Run a few times until 'last request time:' is changed.
fnsysctl ps
IKE debugs:
diag debug console timestamp enable
diag debug app ike 127
diag debug enable
<Wait for 5minutes>
diag debug disable
Export the configuration file of the FortiGate.
|
