From owner-freebsd-net@freebsd.org  Thu Oct 17 10:24:02 2019
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4307414D4F1
 for <freebsd-net@mailman.nyi.freebsd.org>;
 Thu, 17 Oct 2019 10:24:02 +0000 (UTC)
 (envelope-from eugen@grosbein.net)
Received: from hz.grosbein.net (hz.grosbein.net [IPv6:2a01:4f8:c2c:26d8::2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 46v4yT3npkz43sK
 for <freebsd-net@freebsd.org>; Thu, 17 Oct 2019 10:24:01 +0000 (UTC)
 (envelope-from eugen@grosbein.net)
X-Envelope-From: eugen@grosbein.net
X-Envelope-To: freebsd-net@freebsd.org
Received: from [10.58.0.4] (188-123-32-240.rdtc.ru [188.123.32.240] (may be
 forged))
 by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id x9HANu7h086164
 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT);
 Thu, 17 Oct 2019 10:23:57 GMT (envelope-from eugen@grosbein.net)
Subject: Re: ipsec on multicore VM
To: Victor Gamov <vit@otcnet.ru>, freebsd-net@freebsd.org
References: <b2d9de74-294d-9a9c-cd8f-8b294776a7f3@otcnet.ru>
From: Eugene Grosbein <eugen@grosbein.net>
Message-ID: <60e6d692-ed74-9aa3-98b0-24d13eb61be7@grosbein.net>
Date: Thu, 17 Oct 2019 17:23:55 +0700
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <b2d9de74-294d-9a9c-cd8f-8b294776a7f3@otcnet.ru>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=0.1 required=5.0 tests=ALL_TRUSTED,BAYES_00,
 DATE_IN_FUTURE_96_Q,LOCAL_FROM autolearn=no autolearn_force=no
 version=3.4.2
X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
 * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1%
 *      [score: 0.0000]
 *  0.8 DATE_IN_FUTURE_96_Q Date: is 4 days to 4 months after Received:
 *       date *  2.6 LOCAL_FROM From my domains
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on hz.grosbein.net
X-Rspamd-Queue-Id: 46v4yT3npkz43sK
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=permerror (mx1.freebsd.org: domain of eugen@grosbein.net uses mechanism
 not recognized by this client) smtp.mailfrom=eugen@grosbein.net
X-Spamd-Result: default: False [-3.70 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[];
 TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0];
 MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[grosbein.net];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; R_SPF_PERMFAIL(0.00)[];
 RCPT_COUNT_TWO(0.00)[2];
 IP_SCORE(-1.60)[ip: (-4.08), ipnet: 2a01:4f8::/29(-2.11), asn: 24940(-1.81),
 country: DE(-0.01)]; FROM_EQ_ENVFROM(0.00)[];
 R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE];
 MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[];
 RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Oct 2019 10:24:02 -0000

09.10.2019 2:05, Victor Gamov wrote:

> I have FreeBSD 11.2-STABLE #0 r343863 VM with 2 CPU and vxnet3 NIC. This host uses many if_ipsec and strongswan-5.7.2 to make site-to-site ipsec connections.
> 
> When I use `tcpdump -nn -i <ext_iface> src <site1_ext_ip> and esp` then I got many reordered IPsec packets.
> 
> Does tcpdump give me a real picture and I have reordering somewhere "on the wire" or packets may be reordered due more then one CPU read packets from NIC ?

You may easily verify your suspiction disabling SMP inside the guest system temporary:

nextboot -k kernel
echo kern.smp.disabled=1 >> /boot/nextboot.conf
shutdown -r now

This way, the system will perform one-time boot with all cores but one disabled.
Should it experience any problems booting this way, another reset of the VM will boot it normally,
otherwise try running tcpdump while single CPU is used by kernel.