Checksum errors and poor performance.

  • I have two boxes running pfSense 2.0 with a persistent IPsec tunnel between them.  These boxes are peers on my test bench network ( /24).  I use a workstation on one network ( /24) to manage a Hyper-V server on the other network ( /24).  Hyper-V Manager runs terribly slow.  Accessing shared folders through the tunnel is also very slow.  A packet capture on the IPSEC interface shows checksum errors.

    13:58:25.033643 (authentic,confidential): SPI 0x08cff550: (tos 0x0, ttl 127, id 14061, offset 0, flags [none], proto TCP (6), length 576, bad cksum a942 (->aa42)!) > Flags [.], cksum 0xfa5f (correct), seq 537:1073, ack 192, win 512, length 536

    In every instance, the checksum is off by 0x0100.  I must have done something wrong, but I'll be damned if I can figure it out.  Am I even on the right track?

    I've attached a screenshot of my IPsec configuration.

  • Solved

    System > Advanced > Misc. > Enable MSS clamping on VPN traffic

    The problem was already large RPC packets becoming too large as a result of IPsec encapsulation.  After reducing the WAN mtu and messing up all my connections, a colleague suggested I try this setting.  It works great with the default value of 1400.

    Hopefully this helps someone.