Eugene Grosbein <eu...@grosbein.net> wrote: > 22.12.2017 4:59, Michael Grimm wrote:
>>> Make sure and double check that your ESP packets do not get fragmented. >> >> >> Hmm, I do not know how to achieve that. May the following tcpdump excerpts >> answer your question, or do you want me to look somewhere else? >> >> At hostA while downloading from hostB/jailX and "tcpdump -i extIF esp -vv" >> >> 22:52:42.341023 IP (tos 0x0, ttl 64, id 40481, offset 0, flags [none], proto >> ESP (50), length 140) >> hostA > hostB: ESP(spi=0x01d9ec34,seq=0x5fe699), length 120 >> 22:52:42.341079 IP (tos 0x0, ttl 53, id 64310, offset 1480, flags [none], >> proto ESP (50), length 100) >> hostB > hostA: ip-proto-50 > > It shows non-zero offsets, so your ESP packets *are* fragmented. > I guess, this is the reason of your problems as fragmented ESP packets are > known to cause problems > due to different reasons. Simpliest way to avoid such issues is to decrease > MTU of IPSEC tunnel > and/or TCP MSS so that incapsulated ESP packets do not get fragmented. Well, you already helped me out with IPSEC very recently, and I already did decrease my MTU from 1500 to 1490. That increased my tunnel performance dramatically, already. Thanks, I will decrease MTU further. BUT: In this thread I did report that I already had decreased MTU for testing purposes on all involved interfaces down to 1400 to no avail, and that my performance issue is regarding downloads within VNET jails using TCP, not ESP. The very same external interfaces do not show a performance drop if connected via ESP tunnel, but when trying to download files from the internet, and only when the download is started within a VNET jail. At the host downloads are only limited by the bandwidth provided by the hosting company. BUT: It might well be that I did completely misunderstood your reply instead ;-) Thanks and regards, Michael _______________________________________________ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
