From owner-freebsd-stable@FreeBSD.ORG Thu Apr 27 00:30:41 2006 Return-Path: X-Original-To: stable@freebsd.org Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0498D16A473 for ; Thu, 27 Apr 2006 00:30:41 +0000 (UTC) (envelope-from Stephen.Clark@seclark.us) Received: from smtpout06-04.prod.mesa1.secureserver.net (smtpout06-01.prod.mesa1.secureserver.net [64.202.165.224]) by mx1.FreeBSD.org (Postfix) with SMTP id EF1ED43D45 for ; Thu, 27 Apr 2006 00:30:39 +0000 (GMT) (envelope-from Stephen.Clark@seclark.us) Received: (qmail 18561 invoked from network); 27 Apr 2006 00:30:39 -0000 Received: from unknown (24.144.77.138) by smtpout06-04.prod.mesa1.secureserver.net (64.202.165.227) with ESMTP; 27 Apr 2006 00:30:39 -0000 Message-ID: <445010AE.6040401@seclark.us> Date: Wed, 26 Apr 2006 20:30:38 -0400 From: Stephen Clark User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.16-22smp i686; en-US; m18) Gecko/20010110 Netscape6/6.5 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Stephen.Clark@seclark.us References: <444E2503.9090506@seclark.us> <6.2.3.4.0.20060425093417.068dfc08@64.7.153.2> <444E5608.4050704@seclark.us> <6.2.3.4.0.20060425134955.051d58d0@64.7.153.2> <444F750C.7070206@seclark.us> <444FAE19.3060404@errno.com> <444FD105.1050108@seclark.us> <444FE31A.7030803@seclark.us> In-Reply-To: <444FE31A.7030803@seclark.us> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: stable@freebsd.org, Robert Watson Subject: Re: Freebsd Stable 6.x ipsec slower than with 4.9 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Stephen.Clark@seclark.us List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Apr 2006 00:30:41 -0000 Stephen Clark wrote: >Stephen Clark wrote: > > > >>Sam Leffler wrote: >> >> >> >> >> >>>Stephen Clark wrote: >>> >>> >>> >>> >>> >>> >>>>Mike Tancsa wrote: >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>At 01:02 PM 25/04/2006, Stephen Clark wrote: >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>>Try first >>>>>>>sysctl -w net.inet.tcp.inflight.enable=0 >>>>>>> >>>>>>>If its still slower, try using FAST_IPSEC instead on the server. >>>>>>>However, make sure you disable INET6 >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>That increased it to 39mbits/sec. Still far from 54mbits/sec >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>Are all of the TCP params (compare sysctl -a net.inet.tcp on both )and >>>>>application defaults still the same on both systems ? One that that >>>>>for sure is not in RELENG_4 is SACK. Try disabling that and see if >>>>>there is a difference. >>>>> >>>>> ---Mike >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>I checked the sysctl's between the two system and where the match they >>>>are the same. The raw transfer rate ~94mbits/sec is the same as I was >>>>getting between the systems when they were both 4.9. The real >>>>difference appears to be in ipsec. The other thing that is interesting >>>>is the idle time when I am running this test on the 6.x system is about >>>>70% when it was a 4.9 system getting 54mbits/sec the idle time was only >>>>50-55%. >>>> >>>>I am reluctant to try fast ipsec because of problems I had when I tried >>>>it under 4.9, it didn't work with our existing sites. >>>> >>>> >>>> >>>> >>>> >>>> >>>There are known locking bottlenecks in the crypto subsystem that fast >>>ipsec depends on. This is consistent with idle time going up. >>> >>>Not sure when they'll be fixed but I know they're important to at least >>>one person. >>> >>> Sam >>>_______________________________________________ >>>freebsd-stable@freebsd.org mailing list >>>http://lists.freebsd.org/mailman/listinfo/freebsd-stable >>>To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" >>> >>> >>> >>> >>> >>> >>> >>Hi Sam, >> >>I am going to try the fast ipsec. >> >>Regards, >>Steve >> >> >> >> > > > > >Good news with fast ipsec I am back to 53mbits/sec. > >Thanks everyone, >Steve > > > New Info when I tried sending data across the gre/vpns I get the following messages which I did not get with kame ipsec. Any ideas anyone? Apr 26 20:24:43 J301001 kernel: gre15: gre_output: recursively called too many times(2) Apr 26 20:24:52 J301001 kernel: gre71: gre_output: recursively called too many times(2) Apr 26 20:24:54 J301001 kernel: gre39: gre_output: recursively called too many times(2) Apr 26 20:24:55 J301001 kernel: gre43: gre_output: recursively called too many times(2) Apr 26 20:24:59 J301001 kernel: gre97: gre_output: recursively called too many times(2) Apr 26 20:25:16 J301001 kernel: gre97: gre_output: recursively called too many times(2) -- "They that give up essential liberty to obtain temporary safety, deserve neither liberty nor safety." (Ben Franklin) "The course of history shows that as a government grows, liberty decreases." (Thomas Jefferson)