Netgate 2100 IPsec S2S AES GCM and SafeXcel mbuf overload

keyser

@nocling said in Netgate 2100 S2S AES GCM and SafeXcel mbuf overload:

Yesterday 8h of VPN Backup with GCM and SafeXcel MBUF Overload incoming.

At the moment it looks like SafeXcel is triggering the MBUF overload, but I'll watch it again for another 24 hours.

Over IPv6 again, or this time over IPv4?

NOCling

IPv4, IPv6 is broken by the ISP and i don't have the time to investigate for a fix, IPsec is more important.

I had only changed SaveXcel to inactiv.

keyser

@nocling said in Netgate 2100 S2S AES GCM and SafeXcel mbuf overload:

IPv4, IPv6 is broken by the ISP and i don't have the time to investigate for a fix, IPsec is more important.

I had only changed SaveXcel to inactiv.

Okay, so it’s a general safeXcel issue when using GCM on the 2100 in your situation. Interesting if anyone can confirm this, or it’s some setting/parameter in your specific situation

NOCling

1,5 Days without SaveXcel activ, no problem here:
453b00d6-de5b-42b9-a7d7-974216664f62-IPsec_S2S_mbuf_GCM_No_SafeXcel-longtime.png

NOCling

AES-GCM-128 and SafeXcel active again, the MBUF is already running full again.
869b4a9a-e3ed-43c1-b7c4-d81b6aee65ab-IPsec_S2S_mbuf_GCM_SafeXcel_again.png

Also, the GUI is slower than usual when I access it through the S2S tunnel.

Now im back to CBC-256 and a Reboot to clear the MBUF.

keyser

@nocling said in Netgate 2100 S2S AES GCM and SafeXcel mbuf overload:

AES-GCM-128 and SafeXcel active again, the MBUF is already running full again.

Also, the GUI is slower than usual when I access it through the S2S tunnel.

Now im back to CBC-256 and a Reboot to clear the MBUF.

Seeams pretty clear where the issue is
Whats the speed difference (throughput) between CBC-256 and GCM-128 in your setup where i assume the SG-2100 is the bottleneck and not your WAN speed

NOCling

The WAN upload is the limit.
But with the nes appliances on both ends, it would be nice to be able to use GCM.
So it would be nice if someone from Netgate could now take a look at the whole thing and see if the error can be reproduced on them.

otsego

@NOCling

Thanks for posting this! I have a Netgate 6100 connected to a 2100 through a VTI IPSec tunnel. Once there was medium+ traffic from the 6100 to the 2100, such as file transfer from one NAS to another, nothing too heavy, internet speed of 100 mbits, the entire VPN tunnel crashed and would not come up again until a reboot. I couldn't understand what on earth it was and tried every single setting and detail but it never fell on me that AES-GCM could be the issue.

I now changed from AES-GCM to AES-CBC on the site to site tunnel and it suddenly became rock stable.

So there is definitively something to the AES-GCM theory on the Netgate 2100

keyser

@phlmike said in Netgate 2100 S2S AES GCM and SafeXcel mbuf overload:

@nocling If it is a reproduceable bug in the 2100, then you need to file a bug report in redmine.
https://redmine.pfsense.org/

Please you guys - remember to fill out the redmine bugreport. Otherwise this won’t get fixed.

forum1

It appears Bug #13074 ( https://redmine.pfsense.org/issues/13074 ) has been created for this.