Freebsd Stable 6.x ipsec slower than with 4.9
Sam Leffler
sam at errno.com
Wed Apr 26 17:30:03 UTC 2006
Stephen Clark wrote:
> Mike Tancsa wrote:
>
>> At 01:02 PM 25/04/2006, Stephen Clark wrote:
>>
>>
>>
>>>> Try first
>>>> sysctl -w net.inet.tcp.inflight.enable=0
>>>>
>>>> If its still slower, try using FAST_IPSEC instead on the server.
>>>> However, make sure you disable INET6
>>>>
>>> That increased it to 39mbits/sec. Still far from 54mbits/sec
>>>
>>
>> Are all of the TCP params (compare sysctl -a net.inet.tcp on both )and
>> application defaults still the same on both systems ? One that that
>> for sure is not in RELENG_4 is SACK. Try disabling that and see if
>> there is a difference.
>>
>> ---Mike
>>
>>
>>
> I checked the sysctl's between the two system and where the match they
> are the same. The raw transfer rate ~94mbits/sec is the same as I was
> getting between the systems when they were both 4.9. The real
> difference appears to be in ipsec. The other thing that is interesting
> is the idle time when I am running this test on the 6.x system is about
> 70% when it was a 4.9 system getting 54mbits/sec the idle time was only
> 50-55%.
>
> I am reluctant to try fast ipsec because of problems I had when I tried
> it under 4.9, it didn't work with our existing sites.
There are known locking bottlenecks in the crypto subsystem that fast
ipsec depends on. This is consistent with idle time going up.
Not sure when they'll be fixed but I know they're important to at least
one person.
Sam
More information about the freebsd-stable
mailing list