Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Stange IPSec packet loss on net5501-70

    IPsec
    1
    1
    2.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      olejak
      last edited by

      Hi,

      I've been doing some performance testing on two soekris net5501-70 and I've been running in to some problems and some issues that I can't really explain. I hope some other brains can shed some light on this problem.

      My setup is net5501-70 bios 1.33c, vpn1411, pfSense 1.2 embedded.

      I have turned all packet filters off, so the pfsense is acting as router.

      My IPSec conf is as follows:

      Phase1:
      Aggressive
      Rijndael 256 (Supportet by Hifn 7955)
      SHA-1
      DH 2
      Pre-shared key

      Phase 2:
      ESP
      Rijndael 256 (Supported by Hifn 7955)
      SHA-1
      off

      My test is as follows:

      iperf xxx  -P 1 -i 1 -p 5001 -f m -t 60

      PC -> PC = 633 MBytes at 86.9 Mbits/s (Control test)
      PC -> 5501 -> PC = 599 MBytes at 83.7 Mbits/s
      PC -> (vr0)5501(vr1) -> (vr1)5501(vr0) -> PC  = 597 MBytes at 83.4 Mbits/s
      PC -> (vr0)5501(vr1) -> (vr1)5501(vr0) -> PC  = 53.9 MBytes at 7.53 Mbits/s (AES-256 software)

      Problem No 1:
      This test only ran one time and it was not on the first try.
      All the tests I've done this way, except for one, resulted in a reboot of the net5001. Google brings me to this site:  http://wiki.soekris.info/I'm_seeing_some_strange_hardware_malfunction._What_should_I_try
      The power consumption of a standard none equipped net5501 is according to the specs " Power using external power supply is 6-25V DC, max 20 Watt". My PSU is capable of 25W output so it should be able to deliver the right amount of power. (The PSU is a GS25B12-P1J witch is standard with the 19" rack from Kerberos.si (http://www.kerberos.si/ENG/Soekris19.htm))
      I've tried both with and without Hardware Checksum Offloading.
      This puzzles me.

      PC -> (vr0)5501(vr1) -> (vr1)5501(vr0) -> PC  = 62,4 MBytes at 10.4 MBits/s (AES-256 Hardware – vpn1411)

      Problem No. 2:
      This test works every time but with packetloss. When I start the iperf test nothing happens for about 15 sec. and then the test starts running at about 10 MBits/s. When it peaks I get a packet loss (vr0: rx packet lost) on the interface facing the server side of iperf. In this case vr0. It doesn’t matter on which pc the iperf server is running. The interface facing the iperf server is getting the packet loss. This eliminates the possibility of a bad interface on the pc or the net5501.

      The packet loss is, of cause degrading the transfer for a second, and it peaks again, another packet loss is occurring and so on.

      I thought it might be a problem with iperf so I tried to do an ftp transfer with the exact same results.

      I have tried both with "Hardware Checksum Offloading" enabled and disabled.

      Every interface is running 100 Mbits/s Full duplex.

      pfSense is detecting the vpn1411 as a Hifn 7955 so no problem there.

      What also puzzles me is that the vpn1411's specs say "…and can deliver at throughput of up to 250Mbps doing encryption and compression, more than enough for use at T3, E3, OC-3 and Fast Ethernet speed" so I believe that the performance with the card would be much higher.

      I have tried to change to the 3DES algorithm with no effect. The same problem still excists.

      Am I doing something wrong or is everything acting as they should? Is the problem hardware or software?

      I'm looking forward to reading your comments.

      Cheers
      Ole

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.