Project

General

Profile

Actions

Bug #15606

closed

Data transfer problems when using interface-bound states with automatic floating states for IPsec rules

Added by Craig Coonrad 5 months ago. Updated about 1 month ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
24.11
Release Notes:
Force Exclusion
Affected Version:
2.8.0
Affected Architecture:

Description

Version: 24.03-RELEASE (amd64)
Platform: PVE/KVM

Test environment:

linux <--> pfSense <-- (IPsec VTI) --> pfSense <--> linux

Baseline test of iperf3 and sftp (1GB file) using floating states . (linux --> linux)
Accepted connection from 10.11.11.12, port 55973
[  5] local 10.10.10.11 port 5201 connected to 10.11.11.12 port 53279
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec  81.6 MBytes   684 Mbits/sec
[  5]   1.00-2.00   sec  72.6 MBytes   609 Mbits/sec
[  5]   2.00-3.00   sec  61.9 MBytes   519 Mbits/sec
[  5]   3.00-4.00   sec  63.9 MBytes   536 Mbits/sec
[  5]   4.00-5.00   sec  72.2 MBytes   605 Mbits/sec
[  5]   5.00-6.00   sec  70.1 MBytes   588 Mbits/sec
[  5]   6.00-7.00   sec  61.8 MBytes   518 Mbits/sec
[  5]   7.00-8.00   sec  66.9 MBytes   561 Mbits/sec
[  5]   8.00-9.00   sec  82.9 MBytes   695 Mbits/sec
[  5]   9.00-10.00  sec  62.3 MBytes   522 Mbits/sec
[  5]  10.00-10.00  sec   171 KBytes   494 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-10.00  sec   696 MBytes   584 Mbits/sec                  receiver

sftp> put tstfile
Uploading tstfile to /home/ccoonrad/tstfile
tstfile                                                                                    100% 1024MB  64.9MB/s   00:15

Test switching state policy to interface with patch #15430 applied.
Accepted connection from 10.11.11.12, port 58451
[  5] local 10.10.10.11 port 5201 connected to 10.11.11.12 port 54957
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec  64.5 KBytes   528 Kbits/sec
[  5]   1.00-2.00   sec  0.00 Bytes  0.00 bits/sec
[  5]   2.00-3.00   sec  0.00 Bytes  0.00 bits/sec
[  5]   3.00-4.00   sec  0.00 Bytes  0.00 bits/sec
[  5]   4.00-5.00   sec  0.00 Bytes  0.00 bits/sec
[  5]   5.00-6.00   sec  0.00 Bytes  0.00 bits/sec
[  5]   6.00-7.00   sec  0.00 Bytes  0.00 bits/sec
[  5]   7.00-8.00   sec  0.00 Bytes  0.00 bits/sec
[  5]   8.00-9.00   sec  0.00 Bytes  0.00 bits/sec
[  5]   9.00-10.00  sec  0.00 Bytes  0.00 bits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-10.00  sec  64.5 KBytes  52.8 Kbits/sec                  receiver

sftp transfer starts in a stalled state (eventually something times out, and the transfer completes.)
sftp> put tstfile
Uploading tstfile to /home/ccoonrad/tstfile
tstfile                                                                                      0%    0     0.0KB/s - stalled -

The pcaps for the iperf3 and sftp sessions both show the receiver sending a bunch of ACKs, followed by a bunch of TCP retransmits from the sender.
sender: 10.11.11.12
receiver: 10.10.10.11


Files

iperf3-interface-states.pcap (156 KB) iperf3-interface-states.pcap iperf3 pcap Craig Coonrad, 07/07/2024 08:12 PM
sftp-interface-states.pcap (160 KB) sftp-interface-states.pcap sftp pcap Craig Coonrad, 07/07/2024 08:12 PM
Actions

Also available in: Atom PDF