IPSec - packets dropping/tunnels intermittent
-
hey everyone,
i have a machine running pfSense release 1.0 that is maintaining roughly 50 concurrent IPSec tunnels. The hardware is a dual p3 700 mhz with 2 gigabytes of ram. We're experiencing some issues pertaining to packets dropping between two points, and sometimes tunnels just going down all together. I'm looking to build a new p4 2.6ghz/512mb ram machine to replace this old p3. Do you guys think this will solve the issue of packets being dropped? Or if i'm maintaining 50 concurrent ipsec connection should i look into an ip accelerator? I would estimate thought that none of these tunnels are doing more than 30-40Kilobytes/sec max, and certainly dont ever average near that.
lemme know your thoughts guys, thanks -
This is a 1.0? Not a 1.0.1? You should consider upgrading, maybe even to a snapshot release which runs a newer freebsd.
-
oh excuse me, the box is running 1.0.1
any other suggestions?could this have anything to do with device polling? Could having device polling on a card that doesn't support it do something like this?
do you think either one of these sysctl values could be too low for 50 active connections
net.inet.tcp.reass.maxsegments: 556
net.inet.tcp.reass.maxqlen: 48
or
kern.ipc.somaxconn: 128 -
If you could add some more detailed info, it'd be helpful, such as:
- How fast is the connection at the main location
- What brand are the network cards that are in the machine
- Of your 50 connections, are they site-site, mobile connections or both
-
also how much IPsec traffic are you actually seeing? 50 connections using 50 Mb is a lot different from 50 connections using 500 Kb.
-
hey razor2000,
- the main site's connection is a T3
- I still need to find out
- the 50 ipsec connections are to stores with static ips, not mobile users.
cmb, as for the traffic…they're all very low traffic links. each store has a crappy DSL connection, so not much data is going to be pushed through.
-
I don't think you mentioned, what's the other end of the IPsec connections? Is that pfsense as well, or?
From the sounds of things your hardware is adequate. The NIC's may be a concern, just knowing what driver they use (by the interface name, like fxp0, xl0, rl0, etc.) would be helpful.
-
hey cmb, thanks for the input.
on the other end of the ipsec connections at the stores sit SonicWall Firewall/VPNs devices. I'm not exactly sure of the model, but i'll be seeing my friend later this evening and will ask him about the model and nics.
-
Thanks for updated info. Here's my take…
Normally, a P3-700 is adequate for a T3 line (especially when you have two P3's in your box). My only take would be to jump to a higher end box due to all of the IPSEC connections you plan on having simulataneously. Your plan of using a P4-2.6 GHz chip seems fine, but two items I'd recommend going after:
- Up the ram to 1 GB
- Make sure the nics you use in that box are Intel nics. If you can, go after gigabit nics are their larger cache/buffer frames seem to help out with more throughput.
If I am mistaken in my advice above, please feel free to correct me guys.
-
Or if you want to stay with the 700 mhz box get a crypto offload card… Something like a Soekris http://www.soekris.com/vpn1401.htm
Then I would still recommend the Intel nics like razor said. Considering that a Intel employee maintains the Intel driver...
-
You mention problems between 2 endpoints explicitly? Maybe investigate if there are line issues or if something is special about these endpoints (like running another firmware at their end or whatever).