Community discussions

 
mikruser
Member Candidate
Member Candidate
Posts: 201
Joined: Wed Jan 16, 2013 7:28 pm
Reputation: 0

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Thu Dec 01, 2016 1:03 pm

pe1chl wrote:
sallen wrote:
I understand that Mikrotik says the ordering problem is being fixed (but when? ROS v7?). But can we temporarily get an option in the v6.x version to disable HW acceleration on the CCR platform, so that we can do software CBC on the CCR and hardware CBC on the hex 3r?


I vote for that as well!


it has already been proposed: viewtopic.php?f=1&t=113911
do not ask me why it is necessary.
 
mikruser
Member Candidate
Member Candidate
Posts: 201
Joined: Wed Jan 16, 2013 7:28 pm
Reputation: 0

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Thu Dec 01, 2016 1:06 pm

Why reordering issue occurs with hardware multicore, but not occurs with software multicore?
do not ask me why it is necessary.
 
th0massin0
Frequent Visitor
Frequent Visitor
Posts: 78
Joined: Sun May 11, 2014 4:16 am
Reputation: 2
Location: Poland

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Thu Dec 01, 2016 4:59 pm

It may be sticked to architecture (of CPU).
 
alexjhart
Member Candidate
Member Candidate
Posts: 155
Joined: Thu Jan 20, 2011 9:03 pm
Reputation: 8

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Thu Dec 01, 2016 10:56 pm

My latest update from support on this (from yesterday) is:
"We are working on the ipsec problem right now."

I'm not sure what that means for timeline, but it does show they are giving attention to this issue that I brought up with them about 1 year ago now.
-----
Alex Hart

The Brothers WISP
 
nathan1
newbie
Topic Author
Posts: 49
Joined: Sat Jan 16, 2016 8:05 pm
Reputation: 3

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Fri Dec 02, 2016 7:09 am

alexjhart wrote:
My latest update from support on this (from yesterday) is:
"We are working on the ipsec problem right now."

I'm not sure what that means for timeline, but it does show they are giving attention to this issue that I brought up with them about 1 year ago now.

Have you been poking them via email or did they reach out to you as an update? Crossing my fingers...
 
alexjhart
Member Candidate
Member Candidate
Posts: 155
Joined: Thu Jan 20, 2011 9:03 pm
Reputation: 8

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Wed Dec 14, 2016 7:35 pm

Just poking via ticket email.
-----
Alex Hart

The Brothers WISP
 
User avatar
pchott
newbie
Posts: 37
Joined: Tue Apr 29, 2014 11:15 am
Reputation: 0
Location: Holzkirchen, Germany

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Tue Jan 03, 2017 12:05 pm

alexjhart wrote:
Just poking via ticket email.


Any news on this poking??
 
alexjhart
Member Candidate
Member Candidate
Posts: 155
Joined: Thu Jan 20, 2011 9:03 pm
Reputation: 8

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Tue Jan 03, 2017 11:59 pm

pchott wrote:
alexjhart wrote:
Just poking via ticket email.


Any news on this poking??


I just replied to my ticket again for another update. I haven't heard from them in over a month. Maybe 6.39 will be the lucky release?
-----
Alex Hart

The Brothers WISP
 
alexjhart
Member Candidate
Member Candidate
Posts: 155
Joined: Thu Jan 20, 2011 9:03 pm
Reputation: 8

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Wed Jan 04, 2017 9:37 pm

alexjhart wrote:
pchott wrote:
alexjhart wrote:
Just poking via ticket email.


Any news on this poking??


I just replied to my ticket again for another update. I haven't heard from them in over a month. Maybe 6.39 will be the lucky release?


Support said:
We are still working on ike2, right after this we will continue to work on reordering problem.


If there last update was true, it seems like they must have taken time off to work on ike2 instead for a bit.
-----
Alex Hart

The Brothers WISP
 
nathan1
newbie
Topic Author
Posts: 49
Joined: Sat Jan 16, 2016 8:05 pm
Reputation: 3

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Thu Jan 19, 2017 4:13 am

My ticket on this as of 1/18/2017:
We will continue to work on this problem when ike2 main features will be finished.


The wait goes on.
 
alexjhart
Member Candidate
Member Candidate
Posts: 155
Joined: Thu Jan 20, 2011 9:03 pm
Reputation: 8

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Thu Jan 19, 2017 4:35 am

nathan1 wrote:
My ticket on this as of 1/18/2017:
We will continue to work on this problem when ike2 main features will be finished.


The wait goes on.


Thanks for joining in the struggle to get this fixed. Don't forget to update your starting post in the thread.
-----
Alex Hart

The Brothers WISP
 
alexjhart
Member Candidate
Member Candidate
Posts: 155
Joined: Thu Jan 20, 2011 9:03 pm
Reputation: 8

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Tue Feb 14, 2017 8:02 pm

My last update says they're still working on ike2, but they will try to fix this in "one of the next versions". Unfortunately, the fix will be for lower core routers (CCR1009 and CCR1016) first. "Because solution for these routers are almost ready. For others, not yet." Hopefully support for the more expensive 1036 and 1072 will follow shortly after. We'll see. I'm not sure what the technical explanation is for not being able to do all at once.
-----
Alex Hart

The Brothers WISP
 
Ascendo
newbie
Posts: 30
Joined: Sun Sep 09, 2012 12:06 pm
Reputation: 0

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Fri Feb 17, 2017 9:32 am

We've been struggling to get GCM (i.e. software only encryption) working between our CCR1009s and Cisco ASAs. As such I'm in a real pickle having recommended Mikrotik.

We'll take any kind of workaround right now (e.g. run CCR1009 as single core router) until there is a proper fix.

For now, RB1100AHx2 is still the best router Mikrotik makes. Going down the Tilera path has been a mistake.
 
nathan1
newbie
Topic Author
Posts: 49
Joined: Sat Jan 16, 2016 8:05 pm
Reputation: 3

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Fri Feb 17, 2017 6:20 pm

Ascendo wrote:
We've been struggling to get GCM (i.e. software only encryption) working between our CCR1009s and Cisco ASAs. As such I'm in a real pickle having recommended Mikrotik.

We'll take any kind of workaround right now (e.g. run CCR1009 as single core router) until there is a proper fix.

For now, RB1100AHx2 is still the best router Mikrotik makes. Going down the Tilera path has been a mistake.


I've tried to suggest the single core workaround without success. Try contacting support, a little more demand certainly can't hurt. What kind of throughput are you able to get out of IPSec on a RB1100AHx2?
 
Ascendo
newbie
Posts: 30
Joined: Sun Sep 09, 2012 12:06 pm
Reputation: 0

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Fri Feb 17, 2017 7:34 pm

nathan1 wrote:
Ascendo wrote:
We've been struggling to get GCM (i.e. software only encryption) working between our CCR1009s and Cisco ASAs. As such I'm in a real pickle having recommended Mikrotik.

We'll take any kind of workaround right now (e.g. run CCR1009 as single core router) until there is a proper fix.

For now, RB1100AHx2 is still the best router Mikrotik makes. Going down the Tilera path has been a mistake.


I've tried to suggest the single core workaround without success. Try contacting support, a little more demand certainly can't hurt. What kind of throughput are you able to get out of IPSec on a RB1100AHx2?


We get around 750mbit/sec with EoIP + IPSEC. Would get a bit more if we had used the correct ports according to the block diagram. We did contact support - same story, no timeframe for a fix but 1009/1016 will be sorted first.
 
nathan1
newbie
Topic Author
Posts: 49
Joined: Sat Jan 16, 2016 8:05 pm
Reputation: 3

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Fri Feb 17, 2017 7:55 pm

Ascendo wrote:
nathan1 wrote:
Ascendo wrote:
We've been struggling to get GCM (i.e. software only encryption) working between our CCR1009s and Cisco ASAs. As such I'm in a real pickle having recommended Mikrotik.

We'll take any kind of workaround right now (e.g. run CCR1009 as single core router) until there is a proper fix.

For now, RB1100AHx2 is still the best router Mikrotik makes. Going down the Tilera path has been a mistake.


I've tried to suggest the single core workaround without success. Try contacting support, a little more demand certainly can't hurt. What kind of throughput are you able to get out of IPSec on a RB1100AHx2?


We get around 750mbit/sec with EoIP + IPSEC. Would get a bit more if we had used the correct ports according to the block diagram. We did contact support - same story, no timeframe for a fix but 1009/1016 will be sorted first.


750Mbit/sec EoIP + IPSec is pretty nice. I'm stuck with 14 of the 1009s doing 250Mbit at best. If I had known about the re-ordering issue before I deployed these 1009s, I'd be on the AHx2.
I think we are now going on over a year without resolution now and the CCR platform continues to be advertised as a high performance IPSec platform.
 
pe1chl
Forum Guru
Forum Guru
Posts: 2140
Joined: Mon Jun 08, 2015 12:09 pm
Reputation: 31

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Fri Feb 17, 2017 8:12 pm

nathan1 wrote:
750Mbit/sec EoIP + IPSec is pretty nice. I'm stuck with 14 of the 1009s doing 250Mbit at best. If I had known about the re-ordering issue before I deployed these 1009s, I'd be on the AHx2.
I think we are now going on over a year without resolution now and the CCR platform continues to be advertised as a high performance IPSec platform.

Do you have issues in day-to-day operation or only when running benchmarks on Windows machines?
I ask because we use IPsec on CCR1009 without problem. But the traffic is from/to many different machines, not a single-connection-TCP-benchmark.
But even that works fine when between Linux systems.
 
nathan1
newbie
Topic Author
Posts: 49
Joined: Sat Jan 16, 2016 8:05 pm
Reputation: 3

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Fri Feb 17, 2017 8:21 pm

pe1chl wrote:
nathan1 wrote:
750Mbit/sec EoIP + IPSec is pretty nice. I'm stuck with 14 of the 1009s doing 250Mbit at best. If I had known about the re-ordering issue before I deployed these 1009s, I'd be on the AHx2.
I think we are now going on over a year without resolution now and the CCR platform continues to be advertised as a high performance IPSec platform.

Do you have issues in day-to-day operation or only when running benchmarks on Windows machines?
I ask because we use IPsec on CCR1009 without problem. But the traffic is from/to many different machines, not a single-connection-TCP-benchmark.
But even that works fine when between Linux systems.


We only have Linux machines but we have a lot of non-TCP flows, which the issue wreaks havoc on. Linux does cope well with the TCP re-ordering but it creates a very unstable flow, bandwidth and window sizes fluctuate significantly. At this point I have just entirely disabled the hardware acceleration and the network is very stable but throughput is lower than the physical capability. The biggest show stopper was with OSPF running over the EoIP sessions, it caused constant flapping and made for complete instability of the routing core and in turn the network.
 
alexjhart
Member Candidate
Member Candidate
Posts: 155
Joined: Thu Jan 20, 2011 9:03 pm
Reputation: 8

Re: RE: Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Fri Feb 17, 2017 8:33 pm

nathan1 wrote:
Ascendo wrote:
nathan1 wrote:
Ascendo wrote:
We've been struggling to get GCM (i.e. software only encryption) working between our CCR1009s and Cisco ASAs. As such I'm in a real pickle having recommended Mikrotik.

We'll take any kind of workaround right now (e.g. run CCR1009 as single core router) until there is a proper fix.

For now, RB1100AHx2 is still the best router Mikrotik makes. Going down the Tilera path has been a mistake.


I've tried to suggest the single core workaround without success. Try contacting support, a little more demand certainly can't hurt. What kind of throughput are you able to get out of IPSec on a RB1100AHx2?


We get around 750mbit/sec with EoIP + IPSEC. Would get a bit more if we had used the correct ports according to the block diagram. We did contact support - same story, no timeframe for a fix but 1009/1016 will be sorted first.


750Mbit/sec EoIP + IPSec is pretty nice. I'm stuck with 14 of the 1009s doing 250Mbit at best. If I had known about the re-ordering issue before I deployed these 1009s, I'd be on the AHx2.
I think we are now going on over a year without resolution now and the CCR platform continues to be advertised as a high performance IPSec platform.


That's absolutely the case here too. We went with the tilera chip because of the promised hardware encryption throughput, but don't get it because of this driver problem. Unfortunately, we spent even more on 1036 and 1072 units. Insult to injury, they'll be the last to be fixed. I started reporting the issue to mikrotik well over 1 year ago. In the case of 10Gbps interfaces, we don't even have the option to replace with the AHx2. So I'm stuck waiting for them to get their act together or going with a different vendor.
-----
Alex Hart

The Brothers WISP
 
User avatar
IPANetEngineer
Forum Veteran
Forum Veteran
Posts: 805
Joined: Fri Aug 10, 2012 6:46 am
Reputation: 87
Location: Jackson, MS, USA
Contact:

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Wed Feb 22, 2017 11:47 pm

Glad to see this issue is getting attention still. Been waiting to see a fix on it ever since Alex brought it up at the 2016 US MUM.
Expert consulting in | BGP | MPLS | OSPF | Se Habla Español 1-855-645-7684
http://www.iparchitechs.com #1 ranked MikroTik consulting firm in North America

Image
 
Ascendo
newbie
Posts: 30
Joined: Sun Sep 09, 2012 12:06 pm
Reputation: 0

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Thu Feb 23, 2017 9:34 pm

IPANetEngineer wrote:
Glad to see this issue is getting attention still. Been waiting to see a fix on it ever since Alex brought it up at the 2016 US MUM.


An actual update from Mikrotik staff would be great...

Who is online

Users browsing this forum: No registered users and 8 guests