On Fri, Aug 11, 2023 at 01:08:07PM +0200, Marko Cupać said:
Are there any commands I can run which would indicate ipsec traffic is
being throttled due to hardware being underspecced? top shows CPU is
more than 50% idle. netstat shows ~10000 Ierrs / Ifail (no Oerrs /
Ifail) on interfaces that deal with ipsec for two months worth of
uptime.
I believe the crypto work will show up as system% in systat(1) and
top(1). I'm not sure if it is still the case but at one point it was
single-threaded.
Would replacing Xeon box with AMD EPYC 7262 likely result in an
improvement? Should I go for some NICs other than bge? What hardware do
I need at Hub location to accomodate ~400Mbit/s of ipsec
bidirectionally?
I would start by testing your throughput without ipsec to a system on
your local ethernet segment. Maybe using something like iperf. If you
can exceed your ipsec throughput you know it probably isn't the NIC
driver. Try to set it up so you are testing forwarding performance.
I have a Xeon D-1521 with ix(4) NICs and I can forward enough
(unencrypted traffic) to saturate the 1Gbe ports on the switch.
--
Please direct replies to the list.
