Slow IPSEC Performance
-
@luxadmin
Hey
Try decreasing the value of MSS on both sides of the tunnel
VPN/IPsec/Advanced Settings/Maximum MSS
for example,my settings
-
SMB is a very chatty protocol designed for low latency local links. When running SMB over slow, higher latency links you will get slow performance out of the VPN. A better bet is to use a different protocol for file transfers over the VPN link.
-
@chrismacmahon said in Slow IPSEC Performance:
SMB is a very chatty protocol designed for low latency local links. When running SMB over slow, higher latency links you will get slow performance out of the VPN. A better bet is to use a different protocol for file transfers over the VPN link.
Though technically correct, this does not account for discrepancy on using the same protocol over a Cisco vpn vs pfsense vpn.
-
Do you know if the cisco's have a vpn accelerator built in: https://www.cisco.com/c/en/us/td/docs/ios/12_2/12_2y/12_2ye9/feature/guide/12ye_vam.html
As @Konstanti stated, you can try seeing if MSS clamping has some impact on the link.
-
@chrismacmahon Will need to check if they have this installed, the Cisco team won't let us look at their equipment.
Just killed all rsync jobs and about to enable the MSS clamping.
-
Tried messing with the clamping and no improvement. Used both a small MSS and the max my connection supports.
The load average is 0.17, 0.19, 0.15 for dual cores which is rather low, so I doubt it's a CPU bottleneck.
Found a number of suggestions online, but they are geared towards throughput and not this "chatty" type of traffic.
-
Have you tested IPERF through the tunnel?
-
@chrismacmahon What would I look for that we do not already know? (not being snarky, I am really asking)
I tried messing with the TCP offloading on the KVM side as this has been known to cause issues. I now remember last year I installed PFSense as a VM in Ovirt. It performed terrible with OpenVPN being nearly unusable. Switched to a standard CentOS installation and running OpenVPN and it was flawless.
I may end up trying VyOS and see what I can get from that.
-
Have you removed hardware offloading?
WARNING: because the hardware checksum offload is not yet disabled, accessing pfSense WebGUI might be sluggish. This is NORMAL and is fixed in the following step.
To disable hardware checksum offload, navigate under System > Advanced and select Networking tab. Under Networking Interfaces section check the Disable hardware checksum offload and click save. Reboot will be required after this step.
The iperf tests through the tunnel will tell you if there is an issue in the tunnel or elsewhere. If you are getting the full 150m between the 2 points on an iperf test, we know it's the SMB protocol that is the issue.
-
Yes I tried disabling TCP offloading, and it reduced my throughput by 80%. I re-enabled it.
I am getting the full 150Mbps over SMB on the PFSense tunnel, that is not the issue. I am sorry, it can be difficult to explain these issues using only text and I may not be explaining this correctly.
Throughput is good!
Random filesystem access is bad.Example:
I search the SMB shared for all jpg files. Using the 50Mbps Cisco tunnel, it takes 5 minutes. Using the 150Mbps PFsense tunnel, it takes 15 minutes.
It is an odd issue to have, and one I have not seen before.
