Freebsd Stable 6.x ipsec slower than with 4.9
Stephen Clark
Stephen.Clark at seclark.us
Thu Apr 27 00:30:41 UTC 2006
Stephen Clark wrote:
>Stephen Clark wrote:
>
>
>
>>Sam Leffler wrote:
>>
>>
>>
>>
>>
>>>Stephen Clark wrote:
>>>
>>>
>>>
>>>
>>>
>>>
>>>>Mike Tancsa wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>At 01:02 PM 25/04/2006, Stephen Clark wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>>Try first
>>>>>>>sysctl -w net.inet.tcp.inflight.enable=0
>>>>>>>
>>>>>>>If its still slower, try using FAST_IPSEC instead on the server.
>>>>>>>However, make sure you disable INET6
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>That increased it to 39mbits/sec. Still far from 54mbits/sec
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>Are all of the TCP params (compare sysctl -a net.inet.tcp on both )and
>>>>>application defaults still the same on both systems ? One that that
>>>>>for sure is not in RELENG_4 is SACK. Try disabling that and see if
>>>>>there is a difference.
>>>>>
>>>>> ---Mike
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>I checked the sysctl's between the two system and where the match they
>>>>are the same. The raw transfer rate ~94mbits/sec is the same as I was
>>>>getting between the systems when they were both 4.9. The real
>>>>difference appears to be in ipsec. The other thing that is interesting
>>>>is the idle time when I am running this test on the 6.x system is about
>>>>70% when it was a 4.9 system getting 54mbits/sec the idle time was only
>>>>50-55%.
>>>>
>>>>I am reluctant to try fast ipsec because of problems I had when I tried
>>>>it under 4.9, it didn't work with our existing sites.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>There are known locking bottlenecks in the crypto subsystem that fast
>>>ipsec depends on. This is consistent with idle time going up.
>>>
>>>Not sure when they'll be fixed but I know they're important to at least
>>>one person.
>>>
>>> Sam
>>>_______________________________________________
>>>freebsd-stable at freebsd.org mailing list
>>>http://lists.freebsd.org/mailman/listinfo/freebsd-stable
>>>To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>Hi Sam,
>>
>>I am going to try the fast ipsec.
>>
>>Regards,
>>Steve
>>
>>
>>
>>
>
>
>
>
>Good news with fast ipsec I am back to 53mbits/sec.
>
>Thanks everyone,
>Steve
>
>
>
New Info when I tried sending data across the gre/vpns I get the
following messages which I did not
get with kame ipsec. Any ideas anyone?
Apr 26 20:24:43 J301001 kernel: gre15: gre_output: recursively called
too many times(2)
Apr 26 20:24:52 J301001 kernel: gre71: gre_output: recursively called
too many times(2)
Apr 26 20:24:54 J301001 kernel: gre39: gre_output: recursively called
too many times(2)
Apr 26 20:24:55 J301001 kernel: gre43: gre_output: recursively called
too many times(2)
Apr 26 20:24:59 J301001 kernel: gre97: gre_output: recursively called
too many times(2)
Apr 26 20:25:16 J301001 kernel: gre97: gre_output: recursively called
too many times(2)
--
"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety." (Ben Franklin)
"The course of history shows that as a government grows, liberty
decreases." (Thomas Jefferson)
More information about the freebsd-stable
mailing list