Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Netgate 2100 IPsec S2S AES GCM and SafeXcel mbuf overload

    Scheduled Pinned Locked Moved IPsec
    18 Posts 5 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      NOCling
      last edited by

      Ok, now it works with GCM MBUF 3% (1776/70608).

      My parents' ISP changed the provisioning of the cable modem at the beginning of the week and since then the pfsense can no longer obtain an IPv6 IP Prefix.
      Now the SG-2100 only works with IPv4 and the problem is not there.
      SafeXcel Crypto: Yes (active)
      Asynchronous Cryptography (active)

      When I encounter the error, the IPsec tunnel connects using the IPv6 WAN IP on both sides using port 500, now it is the IPv4 using port 4500.
      Looks like it interacts with IPv6 in some way, which triggers the MBUF overload.
      So now I have to see if I can fix the IPv6 problem in order to generate the error again.

      Interesting issue...

      Netgate 6100 & Netgate 2100

      keyserK 1 Reply Last reply Reply Quote 0
      • keyserK
        keyser Rebel Alliance @NOCling
        last edited by

        @nocling said in Netgate 2100 S2S mbuf overload:

        Ok, now it works with GCM MBUF 3% (1776/70608).

        My parents' ISP changed the provisioning of the cable modem at the beginning of the week and since then the pfsense can no longer obtain an IPv6 IP Prefix.
        Now the SG-2100 only works with IPv4 and the problem is not there.
        SafeXcel Crypto: Yes (active)
        Asynchronous Cryptography (active)

        When I encounter the error, the IPsec tunnel connects using the IPv6 WAN IP on both sides using port 500, now it is the IPv4 using port 4500.
        Looks like it interacts with IPv6 in some way, which triggers the MBUF overload.
        So now I have to see if I can fix the IPv6 problem in order to generate the error again.

        Interesting issue...

        Very good observation that it is related to tunneling over IPv6 vs IPv4. When connected on port 500 it’s using ESP directly where as on port 4500 its using NAT traversal. If that has influence or if its only the protocol version needs to be tested.

        Good find!

        Love the no fuss of using the official appliances :-)

        1 Reply Last reply Reply Quote 0
        • N
          NOCling
          last edited by NOCling

          Yesterday 8h of VPN Backup with GCM and SafeXcel MBUF Overload incoming.
          9a7790da-0eff-400d-98c7-be6815ee3200-IPsec_S2S_mbuf_GCM_No_SafeXcel.png
          ccdcb6d9-088e-4511-825d-fbb2c24a82ed-S2S Tunnel.PNG

          At the moment it looks like SafeXcel is triggering the MBUF overload, but I'll watch it again for another 24 hours.

          Netgate 6100 & Netgate 2100

          keyserK 1 Reply Last reply Reply Quote 0
          • keyserK
            keyser Rebel Alliance @NOCling
            last edited by

            @nocling said in Netgate 2100 S2S AES GCM and SafeXcel mbuf overload:

            Yesterday 8h of VPN Backup with GCM and SafeXcel MBUF Overload incoming.
            7e2e85fc-6d34-4d94-ab74-9f1ea70f8564-IPsec_S2S_mbuf_GCM_No_SafeXcel.png
            ccdcb6d9-088e-4511-825d-fbb2c24a82ed-S2S Tunnel.PNG

            At the moment it looks like SafeXcel is triggering the MBUF overload, but I'll watch it again for another 24 hours.

            Over IPv6 again, or this time over IPv4?

            Love the no fuss of using the official appliances :-)

            1 Reply Last reply Reply Quote 0
            • N
              NOCling
              last edited by

              IPv4, IPv6 is broken by the ISP and i don't have the time to investigate for a fix, IPsec is more important.

              I had only changed SaveXcel to inactiv.

              Netgate 6100 & Netgate 2100

              keyserK 1 Reply Last reply Reply Quote 0
              • keyserK
                keyser Rebel Alliance @NOCling
                last edited by

                @nocling said in Netgate 2100 S2S AES GCM and SafeXcel mbuf overload:

                IPv4, IPv6 is broken by the ISP and i don't have the time to investigate for a fix, IPsec is more important.

                I had only changed SaveXcel to inactiv.

                Okay, so it’s a general safeXcel issue when using GCM on the 2100 in your situation. Interesting if anyone can confirm this, or it’s some setting/parameter in your specific situation

                Love the no fuss of using the official appliances :-)

                1 Reply Last reply Reply Quote 0
                • N
                  NOCling
                  last edited by NOCling

                  1,5 Days without SaveXcel activ, no problem here:
                  453b00d6-de5b-42b9-a7d7-974216664f62-IPsec_S2S_mbuf_GCM_No_SafeXcel-longtime.png

                  Netgate 6100 & Netgate 2100

                  1 Reply Last reply Reply Quote 0
                  • N
                    NOCling
                    last edited by NOCling

                    AES-GCM-128 and SafeXcel active again, the MBUF is already running full again.
                    869b4a9a-e3ed-43c1-b7c4-d81b6aee65ab-IPsec_S2S_mbuf_GCM_SafeXcel_again.png

                    Also, the GUI is slower than usual when I access it through the S2S tunnel.

                    Now im back to CBC-256 and a Reboot to clear the MBUF.

                    Netgate 6100 & Netgate 2100

                    keyserK 1 Reply Last reply Reply Quote 0
                    • keyserK
                      keyser Rebel Alliance @NOCling
                      last edited by

                      @nocling said in Netgate 2100 S2S AES GCM and SafeXcel mbuf overload:

                      AES-GCM-128 and SafeXcel active again, the MBUF is already running full again.
                      3cd7a910-81ce-4865-9dad-5ccd942c7704-image.png

                      Also, the GUI is slower than usual when I access it through the S2S tunnel.

                      Now im back to CBC-256 and a Reboot to clear the MBUF.

                      Seeams pretty clear where the issue is😊
                      Whats the speed difference (throughput) between CBC-256 and GCM-128 in your setup where i assume the SG-2100 is the bottleneck and not your WAN speed

                      Love the no fuss of using the official appliances :-)

                      1 Reply Last reply Reply Quote 0
                      • N
                        NOCling
                        last edited by

                        The WAN upload is the limit.
                        But with the nes appliances on both ends, it would be nice to be able to use GCM.
                        So it would be nice if someone from Netgate could now take a look at the whole thing and see if the error can be reproduced on them.

                        Netgate 6100 & Netgate 2100

                        1 Reply Last reply Reply Quote 0
                        • O
                          otsego
                          last edited by

                          @NOCling

                          Thanks for posting this! I have a Netgate 6100 connected to a 2100 through a VTI IPSec tunnel. Once there was medium+ traffic from the 6100 to the 2100, such as file transfer from one NAS to another, nothing too heavy, internet speed of 100 mbits, the entire VPN tunnel crashed and would not come up again until a reboot. I couldn't understand what on earth it was and tried every single setting and detail but it never fell on me that AES-GCM could be the issue.

                          I now changed from AES-GCM to AES-CBC on the site to site tunnel and it suddenly became rock stable.

                          So there is definitively something to the AES-GCM theory on the Netgate 2100

                          1 Reply Last reply Reply Quote 0
                          • keyserK
                            keyser Rebel Alliance @PhlMike
                            last edited by

                            @phlmike said in Netgate 2100 S2S AES GCM and SafeXcel mbuf overload:

                            @nocling If it is a reproduceable bug in the 2100, then you need to file a bug report in redmine.
                            https://redmine.pfsense.org/

                            Please you guys - remember to fill out the redmine bugreport. Otherwise this won’t get fixed.

                            Love the no fuss of using the official appliances :-)

                            1 Reply Last reply Reply Quote 1
                            • F
                              forum1
                              last edited by forum1

                              It appears Bug #13074 ( https://redmine.pfsense.org/issues/13074 ) has been created for this.

                              1 Reply Last reply Reply Quote 1
                              • N NOCling referenced this topic on
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.