|
After upgrading to v7.4.5, a gradual increase in 'iked' memory usage is seen on both HUB and SPOKE FortiGates as shown below.
System time: Wed Sep 25 08:50:27 2024
usqpc01-wgn0011 # diag sys top-mem | grep iked
iked (202): 337949kB
System time: Wed Sep 25 09:02:07 2024
usqpc01-wgn0011 # diag sys top-mem | grep iked
iked (202): 342672kB
System time: Wed Sep 25 09:10:18 2024
usqpc01-wgn0011 # diag sys top-mem | grep iked
iked (202): 345762kB
System time: Wed Sep 25 09:18:37 2024
usqpc01-wgn0011 $ diag sys top-mem | grep iked
iked (202): 348364kB
System time: Wed Sep 25 09:29:35 2024
usqpc01-wgn0011 $ diag sys top-mem | grep iked
iked (202): 352514kB
The memory leak is triggered by any configuration update, including configuration updates not directly related to IPsec tunnels. iked memory use will increase in direct proportion to how frequently the device updates configuration.
The issue has been resolved in v7.4.6 and v7.6.1.
To report any new issues related to memory usage by the iked process, collect the following debug data before submitting a support request to the Fortinet Technical Support Team.
execute tac report
diagnose sys top-fd 50
fnsysctl ps aux
diagnose vpn ike counts
diagnose vpn ike errors
diagnose vpn ike stats
diagnose vpn ike status
diagnose vpn ipsec status
diagnose vpn tunnel list
diagnose sys cmdb info <----- Run a few times until 'last request time:' is changed.
fnsysctl ps
IKE debugs:
diagnose debug console timestamp enable
diagnose debug app ike 127
diagnose debug enable
<Wait for 5minutes>
To stop the Debug, use these commands:
diagnose debug disable
diagnose debug reset
Export the configuration file of the FortiGate.
|
