Date: Thu, 21 Dec 2017 23:34:56 +0100 From: Michael Grimm <trashcan@ellael.org> To: Eugene Grosbein <eugen@grosbein.net> Cc: freebsd-jail@FreeBSD.org, freebsd-net@freebsd.org Subject: Re: performance issue within VNET jail Message-ID: <998F52B1-F07C-4A2D-ABB5-3F86D7D4BD09@ellael.org> In-Reply-To: <5A3C33BF.9050902@grosbein.net> References: <4F5EE3F6-0163-4435-8726-56B0D4AE9FAF@ellael.org> <B6446660-9FD2-4C28-A3A2-8AC99624C7FF@sigsegv.be> <8102F5FD-DCFC-4EF8-A443-9E6C9EB1F467@ellael.org> <DB5DE737-7171-4953-AF98-45F1BE7AF09E@sigsegv.be> <BE008733-5AD8-4DAC-A6A5-BC3FCEC16202@ellael.org> <5A3C2C42.6060904@grosbein.net> <5DAD8B80-FE3C-49D2-A645-EE144474D5FE@ellael.org> <5A3C33BF.9050902@grosbein.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Eugene Grosbein <eugen@grosbein.net> wrote: > 22.12.2017 4:59, Michael Grimm wrote: >>> Make sure and double check that your ESP packets do not get = fragmented. >>=20 >>=20 >> Hmm, I do not know how to achieve that. May the following tcpdump = excerpts answer your question, or do you want me to look somewhere else? >>=20 >> At hostA while downloading from hostB/jailX and "tcpdump -i extIF esp = -vv" >>=20 >> 22:52:42.341023 IP (tos 0x0, ttl 64, id 40481, offset 0, flags = [none], proto ESP (50), length 140) >> hostA > hostB: ESP(spi=3D0x01d9ec34,seq=3D0x5fe699), length 120 >> 22:52:42.341079 IP (tos 0x0, ttl 53, id 64310, offset 1480, flags = [none], proto ESP (50), length 100) >> hostB > hostA: ip-proto-50 >=20 > It shows non-zero offsets, so your ESP packets *are* fragmented. > I guess, this is the reason of your problems as fragmented ESP packets = are known to cause problems > due to different reasons. Simpliest way to avoid such issues is to = decrease MTU of IPSEC tunnel > and/or TCP MSS so that incapsulated ESP packets do not get fragmented. Well, you already helped me out with IPSEC very recently, and I already = did decrease my MTU from 1500 to 1490. That increased my tunnel = performance dramatically, already. Thanks, I will decrease MTU further. BUT: In this thread I did report that I already had decreased MTU for = testing purposes on all involved interfaces down to 1400 to no avail, = and that my performance issue is regarding downloads within VNET jails = using TCP, not ESP. The very same external interfaces do not show a = performance drop if connected via ESP tunnel, but when trying to = download files from the internet, and only when the download is started = within a VNET jail. At the host downloads are only limited by the = bandwidth provided by the hosting company. BUT: It might well be that I did completely misunderstood your reply = instead ;-) Thanks and regards, Michael
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?998F52B1-F07C-4A2D-ABB5-3F86D7D4BD09>