Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SG-3100 IPsec tunnels 21.02.X

    Scheduled Pinned Locked Moved
    IPsec
    ipsec sg-3100
    2
    3
    601
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      geolevi
      last edited by

      Hello,

      I have several SG-3100s that have been working very well for site to site IPsec for quite some time. Real world speed of around 40 MB/s from around 500 Mb/s upload speed connection from ISP. This was all with the 2.4.5 version of pfsense.

      I saw an update for the newer 21.X version, and assumed that things would work fine. But after updating I discovered some issues. I am aware that the whole 21.X release caused issues, especially in the IPsec area of pfsense. Currently, real world speeds are around 8 MB/s.

      I have read quite a lot of posts and documentation from netgate on the issues, but some parts are still unclear regarding my current usage.

      Considering that speeds were just fine in 2.4.5, this means that the hardware itself is capable of delivering the speeds that I need. No changes occurred (to my knowledge. If something changed in the background, could explain things) to the configuration between updates, except the drastic fall in speed.

      I have tried to experiment with turning off the Async Crypto, in combination with various algos for encryption etc, and even making phase 2 just AH, with basically no change in real world speed.

      If someone could clarify the issue it would greatly be appreciated. I know there are still some current bugs regarding the IPsec implementation, but from what I understood, changing algos should have produced a change in real world speeds, which it did not.

      Please let me know if I can provide any other information, or if there is anything I can test to help the situation.

      Thank you

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @geolevi
        last edited by

        Did you install 21.02-p1 or 21.02.2 released yesterday? The release notes have a few known issues and a bunch of IPSec fixes.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        G 1 Reply Last reply Reply Quote 0
        • G
          geolevi @SteveITS
          last edited by geolevi

          @steveits Thanks for your reply. I am aware of the changes. I was initially on 2.4.5, then went to 21.02-p1, and am currently on 21.02.2.

          As mentioned, the issues started after the 'upgrade' from 2.4.5. But a few details that I will add since I was thinking back:

          Very rarely, the speed on transfers does go up to the expected speed of around 40 MB/s and lasts a few minutes, but then returns to the around 8 MB/s. Unfortunately didn't catch the logs when this happened.

          Also, the logs look normal, just the dashboard checking the IPsec status in the normal fashion.

          CPU usage does rise when Async is turned off, but speeds stay basically the same regardless.

          The issue is not like what is mostly mentioned by others, where the tunnel does not stay active. Mine does stay active, and is rather stable, its just that the speed is much slower than previous, with the same settings.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post