Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 26 Apr 2006 17:16:10 -0400
From:      Stephen Clark <Stephen.Clark@seclark.us>
To:        Stephen.Clark@seclark.us
Cc:        stable@freebsd.org, Robert Watson <rwatson@FreeBSD.org>
Subject:   Re: Freebsd Stable 6.x ipsec slower than with 4.9
Message-ID:  <444FE31A.7030803@seclark.us>
In-Reply-To: <444FD105.1050108@seclark.us>
References:  <444E2503.9090506@seclark.us>	<6.2.3.4.0.20060425093417.068dfc08@64.7.153.2>	<444E5608.4050704@seclark.us>	<6.2.3.4.0.20060425134955.051d58d0@64.7.153.2>	<444F750C.7070206@seclark.us>	<444FAE19.3060404@errno.com> <444FD105.1050108@seclark.us>

next in thread | previous in thread | raw e-mail | index | archive | help
Stephen Clark wrote:

>Sam Leffler wrote:
>
>  
>
>>Stephen Clark wrote:
>> 
>>
>>    
>>
>>>Mike Tancsa wrote:
>>>
>>>   
>>>
>>>      
>>>
>>>>At 01:02 PM 25/04/2006, Stephen Clark wrote:
>>>>
>>>>
>>>>
>>>>     
>>>>
>>>>        
>>>>
>>>>>>Try first
>>>>>>sysctl -w net.inet.tcp.inflight.enable=0
>>>>>>
>>>>>>If its still slower, try using FAST_IPSEC instead on the server.  
>>>>>>However, make sure you disable INET6
>>>>>>   
>>>>>>         
>>>>>>
>>>>>>            
>>>>>>
>>>>>That increased it to 39mbits/sec. Still far from 54mbits/sec
>>>>> 
>>>>>       
>>>>>
>>>>>          
>>>>>
>>>>Are all of the TCP params (compare sysctl -a net.inet.tcp on both )and 
>>>>application defaults still the same on both systems ?   One that that 
>>>>for sure is not in RELENG_4 is SACK. Try disabling that and see if 
>>>>there is a difference.
>>>>
>>>>       ---Mike
>>>>
>>>>
>>>>
>>>>     
>>>>
>>>>        
>>>>
>>>I checked the sysctl's between the two system and where the match they 
>>>are the same. The raw transfer rate ~94mbits/sec is the same as I was 
>>>getting between the systems when they were both 4.9.  The real 
>>>difference appears to be in ipsec. The other thing that is interesting 
>>>is the idle time when I am running this test on the 6.x system is about 
>>>70% when it was a 4.9 system getting 54mbits/sec the idle time was only 
>>>50-55%.
>>>
>>>I am reluctant to try fast ipsec because of problems I had when I tried 
>>>it under 4.9, it didn't work with our existing sites.
>>>   
>>>
>>>      
>>>
>>There are known locking bottlenecks in the crypto subsystem that fast 
>>ipsec depends on.  This is consistent with idle time going up.
>>
>>Not sure when they'll be fixed but I know they're important to at least 
>>one person.
>>
>>	Sam
>>_______________________________________________
>>freebsd-stable@freebsd.org mailing list
>>http://lists.freebsd.org/mailman/listinfo/freebsd-stable
>>To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
>>
>> 
>>
>>    
>>
>Hi Sam,
>
>I am going to try the fast ipsec.
>
>Regards,
>Steve
>  
>




Good news with fast ipsec I am back to 53mbits/sec.

Thanks everyone,
Steve

-- 

"They that give up essential liberty to obtain temporary safety, 
deserve neither liberty nor safety."  (Ben Franklin)

"The course of history shows that as a government grows, liberty 
decreases."  (Thomas Jefferson)






Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?444FE31A.7030803>