Date: Fri, 22 Dec 2017 05:20:47 +0700 From: Eugene Grosbein <eugen@grosbein.net> To: Michael Grimm <trashcan@ellael.org> Cc: Kristof Provost <kristof@sigsegv.be>, freebsd-net@freebsd.org, freebsd-jail@FreeBSD.org Subject: Re: performance issue within VNET jail Message-ID: <5A3C33BF.9050902@grosbein.net> In-Reply-To: <5DAD8B80-FE3C-49D2-A645-EE144474D5FE@ellael.org> References: <4F5EE3F6-0163-4435-8726-56B0D4AE9FAF@ellael.org> <B6446660-9FD2-4C28-A3A2-8AC99624C7FF@sigsegv.be> <8102F5FD-DCFC-4EF8-A443-9E6C9EB1F467@ellael.org> <DB5DE737-7171-4953-AF98-45F1BE7AF09E@sigsegv.be> <BE008733-5AD8-4DAC-A6A5-BC3FCEC16202@ellael.org> <5A3C2C42.6060904@grosbein.net> <5DAD8B80-FE3C-49D2-A645-EE144474D5FE@ellael.org>
next in thread | previous in thread | raw e-mail | index | archive | help
22.12.2017 4:59, Michael Grimm wrote: >> Make sure and double check that your ESP packets do not get fragmented. > > > Hmm, I do not know how to achieve that. May the following tcpdump excerpts answer your question, or do you want me to look somewhere else? > > At hostA while downloading from hostB/jailX and "tcpdump -i extIF esp -vv" > > 22:52:42.341023 IP (tos 0x0, ttl 64, id 40481, offset 0, flags [none], proto ESP (50), length 140) > hostA > hostB: ESP(spi=0x01d9ec34,seq=0x5fe699), length 120 > 22:52:42.341079 IP (tos 0x0, ttl 53, id 64310, offset 1480, flags [none], proto ESP (50), length 100) > hostB > hostA: ip-proto-50 It shows non-zero offsets, so your ESP packets *are* fragmented. I guess, this is the reason of your problems as fragmented ESP packets are known to cause problems due to different reasons. Simpliest way to avoid such issues is to decrease MTU of IPSEC tunnel and/or TCP MSS so that incapsulated ESP packets do not get fragmented.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5A3C33BF.9050902>