IPSec - packets dropping/tunnels intermittent



  • hey everyone,
      i have a machine running pfSense release 1.0 that is maintaining roughly 50 concurrent IPSec tunnels. The hardware is a dual p3 700 mhz with 2 gigabytes of ram. We're experiencing some issues pertaining to packets dropping between two points, and sometimes tunnels just going down all together. I'm looking to build a new p4 2.6ghz/512mb ram machine to replace this old p3. Do you guys think this will solve the issue of packets being dropped? Or if i'm maintaining 50 concurrent ipsec connection should i look into an ip accelerator? I would estimate thought that none of these tunnels are doing more than 30-40Kilobytes/sec max, and certainly dont ever average near that.
    lemme know your thoughts guys, thanks



  • This is a 1.0? Not a 1.0.1? You should consider upgrading, maybe even to a snapshot release which runs a newer freebsd.



  • oh excuse me, the box is running 1.0.1
    any other suggestions?

    could this have anything to do with device polling? Could having device polling on a card that doesn't support it do something like this?

    do you think either one of these sysctl values could be too low for 50 active connections
    net.inet.tcp.reass.maxsegments: 556
    net.inet.tcp.reass.maxqlen: 48
    or
    kern.ipc.somaxconn: 128



  • If you could add some more detailed info, it'd be helpful, such as:

    1. How fast is the connection at the main location
    2. What brand are the network cards that are in the machine
    3. Of your 50 connections, are they site-site, mobile connections or both


  • also how much IPsec traffic are you actually seeing? 50 connections using 50 Mb is a lot different from 50 connections using 500 Kb.



  • hey razor2000,

    1. the main site's connection is a T3
    2. I still need to find out
    3. the 50 ipsec connections are to stores with static ips, not mobile users.

    cmb, as for the traffic…they're all very low traffic links. each store has a crappy DSL connection, so not much data is going to be pushed through.



  • I don't think you mentioned, what's the other end of the IPsec connections? Is that pfsense as well, or?

    From the sounds of things your hardware is adequate. The NIC's may be a concern, just knowing what driver they use (by the interface name, like fxp0, xl0, rl0, etc.) would be helpful.



  • hey cmb, thanks for the input.

    on the other end of the ipsec connections at the stores sit SonicWall Firewall/VPNs devices. I'm not exactly sure of the model, but i'll be seeing my friend later this evening and will ask him about the model and nics.



  • Thanks for updated info.  Here's my take…

    Normally, a P3-700 is adequate for a T3 line (especially when you have two P3's in your box).  My only take would be to jump to a higher end box due to all of the IPSEC connections you plan on having simulataneously.  Your plan of using a P4-2.6 GHz chip seems fine, but two items I'd recommend going after:

    1. Up the ram to 1 GB
    2. Make sure the nics you use in that box are Intel nics.  If you can, go after gigabit nics are their larger cache/buffer frames seem to help out with more throughput.

    If I am mistaken in my advice above, please feel free to correct me guys.



  • Or if you want to stay with the 700 mhz box get a crypto offload card… Something like a Soekris http://www.soekris.com/vpn1401.htm

    Then I would still recommend the Intel nics like razor said.  Considering that a Intel employee maintains the Intel driver...



  • You mention problems between 2 endpoints explicitly? Maybe investigate if there are line issues or if something is special about these endpoints (like running another firmware at their end or whatever).


Log in to reply