Project

General

Profile

Actions

Bug #12026

open

Applying IPsec settings for many tunnels is slow or times out

Added by Viktor Gurov about 2 months ago. Updated 1 day ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
06/11/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
21.09
Release Notes:
Default
Affected Version:
2.6.0
Affected Architecture:

Description

This is an additional optimization for #11795:

1. `ipsec_get_phase1_src()` - always executes `get_interface_ip/ipv6`, even if no appropriate protocol is selected
2. `ipsec_setup_secrets()` - always writes CRL files, even if there is no PH1 cert authentication
3. `resolve_retry()` - set `$retries = 10` it can significantly improve FQDN resolution time:

# trying to resolve non-existent "agdfasdfsdf.netgate.com":
# time php -f resolve50retries.php
0.176u 0.047s 0:18.14 1.1%    4588+402k 91+0io 0pf+0w
# time php -f resolve10retries.php
0.136u 0.045s 0:03.36 5.0%    3968+364k 51+0io 0pf+0w


Related issues

Related to Bug #12195: IPsec always writes CRL filesPull Request Review

Actions
Related to Bug #12196: Gateway Timeout error if DNS server is not available and remote gateway = FQDNPull Request Review

Actions
Actions #2

Updated by Jim Pingle 14 days ago

  • Status changed from New to Pull Request Review
  • Assignee set to Jim Pingle
  • Target version set to 2.6.0
  • Plus Target Version set to 21.09
Actions #3

Updated by Jim Pingle 10 days ago

  • Status changed from Pull Request Review to In Progress

I've got some ongoing work I'm doing which is going to conflict with some of that PR. Won't know exactly how badly until I'm finished, but it may not be necessary at all.

Actions #4

Updated by Jim Pingle 6 days ago

  • Subject changed from Optimize applying IPsec settings for more than ~30 tunnels to Applying IPsec settings for many tunnels is slow or times out

Updating subject for release notes.

Actions #5

Updated by Jim Pingle 6 days ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100
Actions #6

Updated by Viktor Gurov 5 days ago

Jim Pingle wrote in #note-5:

Applied in changeset bec6dcfbbef4832b34d47ca60b0671b23dc185d8.

  • 1. `ipsec_get_phase1_src()` - always executes `get_interface_ip/ipv6`, even if no appropriate protocol is selected
    - I see a fix for this issue in this commit
  • 2. `ipsec_setup_secrets()` - always writes CRL files, even if there is no PH1 cert authentication
  • 3. `resolve_retry()` - set `$retries = 10` it can significantly improve FQDN resolution time:
    - but not for these two
Actions #7

Updated by Jim Pingle 3 days ago

Viktor Gurov wrote in #note-6:

  • 2. `ipsec_setup_secrets()` - always writes CRL files, even if there is no PH1 cert authentication
  • 3. `resolve_retry()` - set `$retries = 10` it can significantly improve FQDN resolution time:
    - but not for these two

I didn't change those as they didn't appear to slow things down in my testing. They were not the primary causes of slowness I observed, anyhow. Though I didn't try with a failed DNS setup.

We can still do those, but they may be better suited for a separate Redmine issues if we decide to implement them. We should only have one change per issue to avoid cases like this where multiple suggestions are put into one place and there isn't a way to track them individually, as really those are separate bugs/optimizations.

Actions #8

Updated by Viktor Gurov 1 day ago

  • Related to Bug #12195: IPsec always writes CRL files added
Actions #9

Updated by Viktor Gurov 1 day ago

  • Related to Bug #12196: Gateway Timeout error if DNS server is not available and remote gateway = FQDN added
Actions #10

Updated by Viktor Gurov 1 day ago

New issues: #12195 and #12196

Actions

Also available in: Atom PDF