I am using FAST_IPSEC on a multi subnet VPN with the guys on other side
having Check Point VPN / Firewall.
Its a VPN that does almost non stop usage, the people on the other side
have 24 monitoring utils on it and its never had a problem.
Its on 5.3 i386, and I fear to upgrade it, when it comes t
Andy Rozman (Aleksander) wrote:
Hi !
I am sorry to post this message here, but I think that there are a lot of
gurus here, who could help me without a problem.
Tilll now I was running ipfw with rule that allows all packets (from kernel)
to pass through. In last few weeks I started having pro
Max & Co:
I've just seen I'm using kernel config 'options IPSEC' on both machines.
Should I try 'options FAST_IPSEC'? Would take some hours for kernel
recompile. Does the code IPSEC / FAST_IPSEC make a difference (even
while having not hardware crypto accelerator)?
May I use FAST_IPSEC even witho
Max,
I set sack.enable=0 on both FreeBSD machines but the same happens.
Volker
On 2005-10-23 00:40, Max Laier wrote:
> To try something else: Could you guys try to disable SACK on the machines
> involved? I haven't looked at the dumps as of yet, but that's one simple
> test that might help t
To try something else: Could you guys try to disable SACK on the machines
involved? I haven't looked at the dumps as of yet, but that's one simple
test that might help to identify the problem.
sysctl net.inet.tcp.sack.enable=0
On Sunday 23 October 2005 02:23, Volker wrote:
> Michael,
>
> I not
Michael,
I not that sure if I'm right in checking what you suggested but when
trying to do ping hostB from hostA with oversized packets through the
IPSec tunnel by:
# ping -c 10 -s 12000 10.128.6.1
I'm getting replies easily.
While doing that and tcpdump'ing the gif interface, I'm seeing the
fr
Mike & Volker,
>Try sending different sized pings or other packet size control utils to
>really make sure its not MTU related.
>Maybe there is an upstream router thats blocking ICMP fragment packets,
>have you ever seen them? try forcing the creation of some.
>
>Mike
I am experiencing the sa
On Sun, Oct 23, 2005 at 08:45:06AM +1300, Andrew Thompson wrote:
> On Sat, Oct 22, 2005 at 01:37:35PM +, Wojciech A. Koszek wrote:
> > On Fri, Oct 21, 2005 at 09:23:27AM +1300, Andrew Thompson wrote:
> > > On Thu, Oct 20, 2005 at 08:20:34PM +, Wojciech A. Koszek wrote:
> > > > Hello,
> > >
Matthew Grooms wrote:
Volker,
ipfw is enabled. I use purely IPSEC so I would agree that GRE isn't the
> problem. This behavior is 100% reproducible for me. If traffic is
> forwarded from the host providing the ESP protection or if the
Sorry, this should have read ...
> problem. This behavior
Volker,
I have noticed the same problem. In my case, it only seems to
happen when the traffic is being forwarded across interfaces and pf or
ipfw is enabled. I use purely IPSEC so I would agree that GRE isn't the
problem. This behavior is 100% reproducible for me. If traffic is
forwarded
Matthew,
thanks for your reply. Glad to hear that I'm not the only one
experiencing this problem. So the problem is IPSec + firewall but not
related to pf or ipfw. Is it IPSec + bandwidth management??
I've tried a different test setup and just pushed a bunch of
(/dev/random) data over a tcp conne
On Sat, Oct 22, 2005 at 01:37:35PM +, Wojciech A. Koszek wrote:
> On Fri, Oct 21, 2005 at 09:23:27AM +1300, Andrew Thompson wrote:
> > On Thu, Oct 20, 2005 at 08:20:34PM +, Wojciech A. Koszek wrote:
> > > Hello,
> > >
>
> [..]
> >
> > Is it still a problem or did you test on a pre r1.26
On Sat, Oct 22, 2005 at 01:37:35PM +, Wojciech A. Koszek wrote:
> On Fri, Oct 21, 2005 at 09:23:27AM +1300, Andrew Thompson wrote:
> > On Thu, Oct 20, 2005 at 08:20:34PM +, Wojciech A. Koszek wrote:
> > > Hello,
> > >
>
> [..]
> >
> > Is it still a problem or did you test on a pre r1.26
Try sending different sized pings or other packet size control utils to
really make sure its not MTU related.
Maybe there is an upstream router thats blocking ICMP fragment packets,
have you ever seen them? try forcing the creation of some.
Mike
Volker wrote:
Still having the same problem wi
Hi !
I am sorry to post this message here, but I think that there are a lot of
gurus here, who could help me without a problem.
Tilll now I was running ipfw with rule that allows all packets (from kernel)
to pass through. In last few weeks I started having problems, since I got
quite a lot of pa
Still having the same problem with an IPSec tunnel between FreeBSD 5.4R
hosts.
Problem description:
scp session tries to transfer a large file through an IPSec tunnel. The
file is being transmitted but scp says 'stalled' after 56K (49152 bytes
file size). The IPSec tunnel itself is still up even a
On Fri, Oct 21, 2005 at 09:23:27AM +1300, Andrew Thompson wrote:
> On Thu, Oct 20, 2005 at 08:20:34PM +, Wojciech A. Koszek wrote:
> > Hello,
> >
[..]
>
> Is it still a problem or did you test on a pre r1.26 kernel?
>
Results from -CURRENT: I got panic if sk/rl modules are loaded, interfac
On Thursday 20 October 2005 14:56, Gleb Smirnoff wrote:
> Dominic,
>
> On Thu, Oct 20, 2005 at 02:29:19PM +0100, Dominic Marks wrote:
> D> server) in to the Office. Some times when the link is busy the LCP
> echos D> won't pass over the link quickly enough and the connection
> will terminate. D>
On Mon, Oct 17, 2005 at 01:01:00PM +0300, Chris Dionissopoulos wrote:
C> Trying to split inbound traffic based on layer2 characteristics,
C> i have create a new netgraph module(ng_l2split) using
C> ng_vlan(4) as reference. The design and implementation is
C> pretty simple as ng_vlan :
C>
C> xl0:up
On Fri, Oct 21, 2005 at 09:23:27AM +1300, Andrew Thompson wrote:
> On Thu, Oct 20, 2005 at 08:20:34PM +, Wojciech A. Koszek wrote:
> > Hello,
> >
> > Is EVENTHANDLER(9) proper way of notification for standalone driver about
> > network interface attach/detach operations? I've met simple proble
On Thu, Oct 20, 2005 at 01:25:44PM -0700, Brooks Davis wrote:
> On Thu, Oct 20, 2005 at 08:20:34PM +, Wojciech A. Koszek wrote:
> > Hello,
> >
> > Is EVENTHANDLER(9) proper way of notification for standalone driver about
> > network interface attach/detach operations? I've met simple problem i
Michael,
big thanks for a very detailed report!
On your next test round, can you please also keep an eye on
the CPU load. Is it increased measurably by the patch or not.
Thanks again!
--
Totus tuus, Glebius.
GLEBIUS-RIPN GLEB-RIPE
___
freebsd
Gleb Smirnoff wrote:
Colleagues,
since the if_em problem was taken as a late showstopper for 6.0-RELEASE,
I am asking you to help with testing of the fixes made in HEAD.
Does your em(4) interface wedge for some time?
Do you see a lot of errors in 'netstat -i' output? Does these errors
inc
23 matches
Mail list logo
