From owner-freebsd-bugs@freebsd.org Fri Sep 4 03:15:43 2015 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 92ADE9C9A89 for ; Fri, 4 Sep 2015 03:15:43 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 64D46AC7 for ; Fri, 4 Sep 2015 03:15:43 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id t843FhVx036191 for ; Fri, 4 Sep 2015 03:15:43 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 202885] IPsec performance problems with fragmented ESP and packet loss Date: Fri, 04 Sep 2015 03:15:43 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: cmb@pfsense.org X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Sep 2015 03:15:43 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202885 Bug ID: 202885 Summary: IPsec performance problems with fragmented ESP and packet loss Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: cmb@pfsense.org Take the following setup: [LAN A] -- (host A) -- [WAN] -- (host B) -- [LAN B] Where "host A" and "host B" are 11-CURRENT boxes as of Sept 2, running GENERIC-NODEBUG. Setup IPsec tunnel between the two, to route between LAN A and B. Doesn't matter what specifics are used in the IPsec config. Where hosts on the LAN sides have their MTU at 1500, so ESP traffic ends up being fragmented, and there is packet loss on WAN, serious performance problems are encountered. With no loss on WAN, no issue. Do the following on host A: ipfw pipe 1 config 100Mbit/s ipfw pipe 2 config 100Mbit/s ipfw add 10 pipe 1 ip from any to 1.2.3.4 ipfw add 11 pipe 2 ip from 1.2.3.4 to any where its WAN IP is 1.2.3.4, and push some traffic over the VPN. I'm doing 'fetch -o /dev/null ...' from a web server on the opposite side. Your throughput drops off to near 0 repeatedly. Wireshark I/O graph showing this: https://files.pfsense.org/cmb/100m-limit-frag.png change the MTU on the LAN hosts to 1350 to eliminate ESP fragmentation and you get the expected steady throughput: https://files.pfsense.org/cmb/100m-limit-no-frag.png -- You are receiving this mail because: You are the assignee for the bug.