Project

General

Profile

Actions
Copy link

Regression #13345

closed

IPSEC tunnel loosing packets after upgrade to 22.05 between NG 1100 and NG 7100

Added by Lars Lindley almost 3 years ago. Updated almost 3 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Release Notes:
Default
Affected Plus Version:
Affected Architecture:
SG-1100

Description

After upgrading i noticed horrible performance over the tunnel to work.
ping gives loss and hundreds and thousands of ms.
Ping with tunnel in bad state
I tried changing around the ciphers but only way to fix the problem I've found so far is to reboot the 1100.
That will get me solid 8ms pings and no drops for a while. (This morning less than an hour before the.)
That makes me suspect the problem is with the 1100 and not the 7100 at the office.
At home I have 250/250 fiber and at work 1G/1G fiber. No speed problems are observed outside the tunnel.
At first I thought it could be related to the 2100 MBUF issue but MBUF Usage is only 7% (1526/20428) with the tunnel in the bad state.
SafeXcel is active and the tunnel is configured with:
P1 IKEv2, Mutual PSK, AES128-GCM, 128 bits, sha384, DH 14.
P2 ESP, AES128-GCM, 128bits, PFS 14

I tried AES-CBC, DH 21 and PFS 21, SHA256 and some variations but just restarting the tunnel to get the new values doesnt't help.
I will try changing to cbc and restarting the fw and see if it degrades again.

Please let me know what more info you want me to supply to pin down the problem.

Regards, Lars

Files

clipboard-202207080940-bwkrg.png (15.9 KB) clipboard-202207080940-bwkrg.png Ping with tunnel in bad state Lars Lindley, 07/08/2022 02:40 AM
Actions
Copy link
 #1

Updated by Jim Pingle almost 3 years ago

  • Status changed from New to Not a Bug

There isn't enough information here to classify this as a bug, and we can't reproduce that in lab conditions. It's entirely possible it's a symptom of some other unrelated issue (e.g. pfBlockerNG or some other service consuming lots of CPU). This site is not for support or diagnostic discussion, however, so it's not the place to continue the conversation.

For assistance in solving problems, please post on the Netgate Forum or the pfSense Subreddit . If you have a support subscription for those devices, you can also contact TAC for assistance.

See Reporting Issues with pfSense Software for more information.

If we can identify an actionable bug after discussing and diagnosing the issue further, we can create a new issue with a more accurate description and method to reproduce.

Actions
Copy link

Also available in: Atom PDF