Date: Wed, 26 Apr 2006 20:30:38 -0400 From: Stephen Clark <Stephen.Clark@seclark.us> To: Stephen.Clark@seclark.us Cc: stable@freebsd.org, Robert Watson <rwatson@FreeBSD.org> Subject: Re: Freebsd Stable 6.x ipsec slower than with 4.9 Message-ID: <445010AE.6040401@seclark.us> In-Reply-To: <444FE31A.7030803@seclark.us> References: <444E2503.9090506@seclark.us> <6.2.3.4.0.20060425093417.068dfc08@64.7.153.2> <444E5608.4050704@seclark.us> <6.2.3.4.0.20060425134955.051d58d0@64.7.153.2> <444F750C.7070206@seclark.us> <444FAE19.3060404@errno.com> <444FD105.1050108@seclark.us> <444FE31A.7030803@seclark.us>
next in thread | previous in thread | raw e-mail | index | archive | help
Stephen Clark wrote: >Stephen Clark wrote: > > > >>Sam Leffler wrote: >> >> >> >> >> >>>Stephen Clark wrote: >>> >>> >>> >>> >>> >>> >>>>Mike Tancsa wrote: >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>At 01:02 PM 25/04/2006, Stephen Clark wrote: >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>>Try first >>>>>>>sysctl -w net.inet.tcp.inflight.enable=0 >>>>>>> >>>>>>>If its still slower, try using FAST_IPSEC instead on the server. >>>>>>>However, make sure you disable INET6 >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>That increased it to 39mbits/sec. Still far from 54mbits/sec >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>Are all of the TCP params (compare sysctl -a net.inet.tcp on both )and >>>>>application defaults still the same on both systems ? One that that >>>>>for sure is not in RELENG_4 is SACK. Try disabling that and see if >>>>>there is a difference. >>>>> >>>>> ---Mike >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>I checked the sysctl's between the two system and where the match they >>>>are the same. The raw transfer rate ~94mbits/sec is the same as I was >>>>getting between the systems when they were both 4.9. The real >>>>difference appears to be in ipsec. The other thing that is interesting >>>>is the idle time when I am running this test on the 6.x system is about >>>>70% when it was a 4.9 system getting 54mbits/sec the idle time was only >>>>50-55%. >>>> >>>>I am reluctant to try fast ipsec because of problems I had when I tried >>>>it under 4.9, it didn't work with our existing sites. >>>> >>>> >>>> >>>> >>>> >>>> >>>There are known locking bottlenecks in the crypto subsystem that fast >>>ipsec depends on. This is consistent with idle time going up. >>> >>>Not sure when they'll be fixed but I know they're important to at least >>>one person. >>> >>> Sam >>>_______________________________________________ >>>freebsd-stable@freebsd.org mailing list >>>http://lists.freebsd.org/mailman/listinfo/freebsd-stable >>>To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" >>> >>> >>> >>> >>> >>> >>> >>Hi Sam, >> >>I am going to try the fast ipsec. >> >>Regards, >>Steve >> >> >> >> > > > > >Good news with fast ipsec I am back to 53mbits/sec. > >Thanks everyone, >Steve > > > New Info when I tried sending data across the gre/vpns I get the following messages which I did not get with kame ipsec. Any ideas anyone? Apr 26 20:24:43 J301001 kernel: gre15: gre_output: recursively called too many times(2) Apr 26 20:24:52 J301001 kernel: gre71: gre_output: recursively called too many times(2) Apr 26 20:24:54 J301001 kernel: gre39: gre_output: recursively called too many times(2) Apr 26 20:24:55 J301001 kernel: gre43: gre_output: recursively called too many times(2) Apr 26 20:24:59 J301001 kernel: gre97: gre_output: recursively called too many times(2) Apr 26 20:25:16 J301001 kernel: gre97: gre_output: recursively called too many times(2) -- "They that give up essential liberty to obtain temporary safety, deserve neither liberty nor safety." (Ben Franklin) "The course of history shows that as a government grows, liberty decreases." (Thomas Jefferson)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?445010AE.6040401>