Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Checksum errors and poor performance.

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pffan
      last edited by

      I have two boxes running pfSense 2.0 with a persistent IPsec tunnel between them.  These boxes are peers on my test bench network (192.168.11.0 /24).  I use a workstation on one network (192.168.0.0 /24) to manage a Hyper-V server on the other network (192.168.215.0 /24).  Hyper-V Manager runs terribly slow.  Accessing shared folders through the tunnel is also very slow.  A packet capture on the IPSEC interface shows checksum errors.

      13:58:25.033643 (authentic,confidential): SPI 0x08cff550: (tos 0x0, ttl 127, id 14061, offset 0, flags [none], proto TCP (6), length 576, bad cksum a942 (->aa42)!)  
      192.168.215.10.49154 > 192.168.0.45.1701: Flags [.], cksum 0xfa5f (correct), seq 537:1073, ack 192, win 512, length 536

      In every instance, the checksum is off by 0x0100.  I must have done something wrong, but I'll be damned if I can figure it out.  Am I even on the right track?

      I've attached a screenshot of my IPsec configuration.
      pfSense-IPsec-config.jpg
      pfSense-IPsec-config.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • P
        pffan
        last edited by

        Solved

        System > Advanced > Misc. > Enable MSS clamping on VPN traffic

        The problem was already large RPC packets becoming too large as a result of IPsec encapsulation.  After reducing the WAN mtu and messing up all my connections, a colleague suggested I try this setting.  It works great with the default value of 1400.

        Hopefully this helps someone.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.