Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] v2.3.4 IPSEC tunnels slow to get started

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 616 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Stackmgr
      last edited by

      I am connecting a v2.3.4 to a v2.3.3.  The 2.3.3 has been running for ages, and works great.  When I create a tunnel linking my desk to the 2.3.3 using a Cisco or Linksys router, performance is good.  The 2.3.3 box is connected to another 2.3.3 box at a different host site.  Those tunnels work great together.  No delays and good speed.

      I want to replace the Linksys at my desk with a new 2.3.4 device.  The tunnel comes right up on the 2.3.4.  I can ping from my desktop without a problem and a file transfer through the tunnel is impressively fast.  When I access a web site located behind the 2.3.3 box using the open internet it loads and displays very fast.

      Here's the problem.  When I access the same web site using the IPSEC tunnel connecting the 2.3.4 to the 2.3.3 there is a long pause before anything happens at all, then a chunk of data arrives, then a long pause, then more, etc.  This same delay occurs anytime I access  information/data through the tunnel.  Eventually the data arrives, but it's slow going.  Once the data has arrived, re-requesting data goes fast.  If I delay several minutes before re-requesting data, the long pause begins again.

      I've tested with "Enable bypass for LAN interface IP" both checked and unchecked at both locations.  It doesn't seem to make a difference.
      [EDIT] The "Enable bypass…" setting makes a huge difference in internet throughput.  I've enabled this on both the 2.3.4 and 2.3.3 boxes.  However it makes no impact on the IPSEC problem.

      Dead Peer Detection is enabled on both sides.  Basically all the tunnel setting are default on both sides.  Both sides show the tunnel is up.
      The IPSEC rule is all asterisks.
      The computer is AMD64, Intel(R) Pentium(R) CPU J2850 @ 2.41GHz 4 CPUs: 1 package(s) x 4 core(s),  4 gigs RAM, 400+ Gigs hard drive.
      I had the same problem using Netgate hardware and I thought the problem was the hardware.

      Any thoughts?

      [SOLUTION]
      I have an AT&T Microcell in the house that connects directly to FIOS.  There's a port on the Microcell to attach house internet connectivity.  All the previous tests were done with the router connected to the Microcell.  When I attached the pfSense directly to FIOS all the problems went away!  I plugged the Microcell into a 10/100/1000 switch which is on the network and the Microcell works fine too.

      I don't know why the Microcell created a problem for pfSense and not for the Cisco or Linksys routers .  And I'm not sure I care.  It works.  It's fast.  And if it's like the other pfSense boxes we use, it will be reliable.

      All is well!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.