IPSec with pfSense 1.2-BETA-1 on Soekris 4801 crash & reboot problem
-
Hi,
I have pretty weird problem:
pfSense 1.2-BETA-1
Soekris 4801 with 1G CFTopology:
2 pfSense connected with CARP (data center side)
1 pfSense at the office sideI have setup IPsec between the office side and the data center side, using the CARP IP.
The tunnel is up and running.
I tried to download big file from the data center side, after few seconds the office side pfSense is crashing and rebooting…I tried to replace the hardware at the office side - the same. rebooting!
I tried OpenVPN tunnel, the same hardware, same topology and same file - working just fine... (although the CPU utilization is close to 100%....)
Any ideas?
Is the IPSec is too hard on the Soekris CPU? -
VPN is hard on a 4801, especially if you're using 3DES. You'll get much better performance using anything other than DES and 3DES, though you still aren't going to be able to get more than about 4 Mb of IPsec through a 4801. The crypto is too much for its CPU at any higher speeds. Granted, it shouldn't reboot. I've done a lot of stress testing of a 4801 with IPsec the last couple weeks and never made it reboot.
If you want to squeeze a bit more performance out of a 4801, a Hifn crypto card should provide a nice boost. I have an old Soekris vpn1211 and it increases VPN throughput with 3DES (this old card only accelerates DES and 3DES) to over 6.5 Mb.
You sure you have a solid power supply? Soekris and WRAP hardware getting flaky under high load is a sign of a weak or flaky power supply.
-
Well, thanx! ::)
I'm now having reboots during changing interface properties and stuff, up until getting kernel traps…
I'm using 1.2-BETA-1, maybe it has some issues with the Soekris?
Maybe my CF is doing crazy stuff, or the power supply, as you suggest (although it's the one sent by Soekris) or maybe hardware fault (I have 3 new boxes, I can try them out).I have to find out what's is going on....
-
I'm now having reboots during changing interface properties and stuff, up until getting kernel traps…
Are you using CARP? That sounds like the CARP issue that's been fixed in recent snapshots.
I'm using 1.2-BETA-1, maybe it has some issues with the Soekris?
Definitely not the case, that's what I've been doing all my testing with.
-
I've got some WRAP boards that are very similar to the Soekris 4801. 128MB RAM and 266 MHz. I had a problem with 3DES VPN rebooting them if I sustained VPN traffic for more that about 10 seconds if the other side was capable of handling more than about 4 mb/s. With a VPN1411 card in each, I sustained almost 9 mb/s with no reboots between 2 of them. This was not with the new beta version though. I haven't run it on an embedded platform yet. Here's the thread on my throughput testing.