Freebsd Stable 6.x ipsec slower than with 4.9
Stephen Clark
Stephen.Clark at seclark.us
Wed Apr 26 21:16:13 UTC 2006
Stephen Clark wrote:
>Sam Leffler wrote:
>
>
>
>>Stephen Clark wrote:
>>
>>
>>
>>
>>>Mike Tancsa wrote:
>>>
>>>
>>>
>>>
>>>
>>>>At 01:02 PM 25/04/2006, Stephen Clark wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>>Try first
>>>>>>sysctl -w net.inet.tcp.inflight.enable=0
>>>>>>
>>>>>>If its still slower, try using FAST_IPSEC instead on the server.
>>>>>>However, make sure you disable INET6
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>That increased it to 39mbits/sec. Still far from 54mbits/sec
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>Are all of the TCP params (compare sysctl -a net.inet.tcp on both )and
>>>>application defaults still the same on both systems ? One that that
>>>>for sure is not in RELENG_4 is SACK. Try disabling that and see if
>>>>there is a difference.
>>>>
>>>> ---Mike
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>I checked the sysctl's between the two system and where the match they
>>>are the same. The raw transfer rate ~94mbits/sec is the same as I was
>>>getting between the systems when they were both 4.9. The real
>>>difference appears to be in ipsec. The other thing that is interesting
>>>is the idle time when I am running this test on the 6.x system is about
>>>70% when it was a 4.9 system getting 54mbits/sec the idle time was only
>>>50-55%.
>>>
>>>I am reluctant to try fast ipsec because of problems I had when I tried
>>>it under 4.9, it didn't work with our existing sites.
>>>
>>>
>>>
>>>
>>There are known locking bottlenecks in the crypto subsystem that fast
>>ipsec depends on. This is consistent with idle time going up.
>>
>>Not sure when they'll be fixed but I know they're important to at least
>>one person.
>>
>> Sam
>>_______________________________________________
>>freebsd-stable at freebsd.org mailing list
>>http://lists.freebsd.org/mailman/listinfo/freebsd-stable
>>To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
>>
>>
>>
>>
>>
>Hi Sam,
>
>I am going to try the fast ipsec.
>
>Regards,
>Steve
>
>
Good news with fast ipsec I am back to 53mbits/sec.
Thanks everyone,
Steve
--
"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety." (Ben Franklin)
"The course of history shows that as a government grows, liberty
decreases." (Thomas Jefferson)
More information about the freebsd-stable
mailing list