[ previous ] [ next ] [ threads ]
 
 From:  "Kristian Shaw" <monowall at wealdclose dot co dot uk>
 To:  "Nathaniel Irons" <ndi dash l at bumppo dot net>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] our pokey VPN
 Date:  Fri, 23 Jun 2006 19:21:32 +0100
Hello,

The only thing I can think of is that perhaps the bonded connection 
occasionally delivers packets out of order?

I would imagine that on a speed test you would be generating 1500 (+) byte 
packets which will get fragmented when encrypted, so the drop of a fragment 
would cause the whole original packet to be dropped. I am not sure what 
FreeBSD does when it encounters out of order IPSEC packets.

Do you see packet loss across the VPN connection?

Regards,

Kris.

----- Original Message ----- 
From: "Nathaniel Irons" <ndi dash l at bumppo dot net>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Friday, June 23, 2006 6:56 PM
Subject: Re: [m0n0wall] our pokey VPN


Chris Buechler (cbuechler at gmail dot com) wrote on 6/22/06, 12:59 PM:

> Indeed an issue.  That's so unbelievably slow that it's hard to
> imagine it maxing out the hardware...  When you're doing this, what
> does the CPU graph show?  It should be CPU bound when it hits its peak
> (if it isn't bound by the network connection of either side).

When I tested this last night, over the VPN, the CPU was hovering between
1 and 2 percent utilization. When I run iperf from home to office, at
about 700 Kbit/sec, CPU use went up to about 5 or 6 percent. When going
from office to home at about 35 Kbit/sec, it went up to 4 or 5 percent. So
assuming the graph is accurate, it doesn't look like CPU is the problem.

> One other thing I can think of, check the Status->Interfaces page for
> errors on any of your interfaces.  Though that's much more likely to
> cause general throughput issues, nothing specific to VPN.

I rebooted last weekend, for the first time since the T1 upgrade. All
three interfaces are reporting zero errors since then. Ordinarily that
would sound like good news.

Any suggestions on where to take the inquiry from here?

Thanks,

  -nat

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch