I understand that Mikrotik says the ordering problem is being fixed (but when? ROS v7?). But can we temporarily get an option in the v6.x version to disable HW acceleration on the CCR platform, so that we can do software CBC on the CCR and hardware CBC on the hex 3r?

I vote for that as well!

My latest update from support on this (from yesterday) is:
"We are working on the ipsec problem right now."

I'm not sure what that means for timeline, but it does show they are giving attention to this issue that I brought up with them about 1 year ago now.

Just poking via ticket email.

Just poking via ticket email.

Any news on this poking??

Just poking via ticket email.

Any news on this poking??

I just replied to my ticket again for another update. I haven't heard from them in over a month. Maybe 6.39 will be the lucky release?

We are still working on ike2, right after this we will continue to work on reordering problem.

We will continue to work on this problem when ike2 main features will be finished.

My ticket on this as of 1/18/2017:

We will continue to work on this problem when ike2 main features will be finished.

The wait goes on.

We've been struggling to get GCM (i.e. software only encryption) working between our CCR1009s and Cisco ASAs. As such I'm in a real pickle having recommended Mikrotik.

We'll take any kind of workaround right now (e.g. run CCR1009 as single core router) until there is a proper fix.

For now, RB1100AHx2 is still the best router Mikrotik makes. Going down the Tilera path has been a mistake.

We've been struggling to get GCM (i.e. software only encryption) working between our CCR1009s and Cisco ASAs. As such I'm in a real pickle having recommended Mikrotik.

We'll take any kind of workaround right now (e.g. run CCR1009 as single core router) until there is a proper fix.

For now, RB1100AHx2 is still the best router Mikrotik makes. Going down the Tilera path has been a mistake.

I've tried to suggest the single core workaround without success. Try contacting support, a little more demand certainly can't hurt. What kind of throughput are you able to get out of IPSec on a RB1100AHx2?

We've been struggling to get GCM (i.e. software only encryption) working between our CCR1009s and Cisco ASAs. As such I'm in a real pickle having recommended Mikrotik.

We'll take any kind of workaround right now (e.g. run CCR1009 as single core router) until there is a proper fix.

For now, RB1100AHx2 is still the best router Mikrotik makes. Going down the Tilera path has been a mistake.

I've tried to suggest the single core workaround without success. Try contacting support, a little more demand certainly can't hurt. What kind of throughput are you able to get out of IPSec on a RB1100AHx2?

We get around 750mbit/sec with EoIP + IPSEC. Would get a bit more if we had used the correct ports according to the block diagram. We did contact support - same story, no timeframe for a fix but 1009/1016 will be sorted first.

750Mbit/sec EoIP + IPSec is pretty nice. I'm stuck with 14 of the 1009s doing 250Mbit at best. If I had known about the re-ordering issue before I deployed these 1009s, I'd be on the AHx2.
I think we are now going on over a year without resolution now and the CCR platform continues to be advertised as a high performance IPSec platform.

750Mbit/sec EoIP + IPSec is pretty nice. I'm stuck with 14 of the 1009s doing 250Mbit at best. If I had known about the re-ordering issue before I deployed these 1009s, I'd be on the AHx2.
I think we are now going on over a year without resolution now and the CCR platform continues to be advertised as a high performance IPSec platform.

Do you have issues in day-to-day operation or only when running benchmarks on Windows machines?
I ask because we use IPsec on CCR1009 without problem. But the traffic is from/to many different machines, not a single-connection-TCP-benchmark.
But even that works fine when between Linux systems.

We've been struggling to get GCM (i.e. software only encryption) working between our CCR1009s and Cisco ASAs. As such I'm in a real pickle having recommended Mikrotik.

We'll take any kind of workaround right now (e.g. run CCR1009 as single core router) until there is a proper fix.

For now, RB1100AHx2 is still the best router Mikrotik makes. Going down the Tilera path has been a mistake.

I've tried to suggest the single core workaround without success. Try contacting support, a little more demand certainly can't hurt. What kind of throughput are you able to get out of IPSec on a RB1100AHx2?

We get around 750mbit/sec with EoIP + IPSEC. Would get a bit more if we had used the correct ports according to the block diagram. We did contact support - same story, no timeframe for a fix but 1009/1016 will be sorted first.

750Mbit/sec EoIP + IPSec is pretty nice. I'm stuck with 14 of the 1009s doing 250Mbit at best. If I had known about the re-ordering issue before I deployed these 1009s, I'd be on the AHx2.
I think we are now going on over a year without resolution now and the CCR platform continues to be advertised as a high performance IPSec platform.

Glad to see this issue is getting attention still. Been waiting to see a fix on it ever since Alex brought it up at the 2016 US MUM.

What's new in 6.39rc51 (2017-Mar-10 12:50):

!) tile - fixed IPsec hardware acceleration out-of-order packet problem, significantly improved performance;

What's new in 6.39rc51 (2017-Mar-10 12:50):

!) tile - fixed IPsec hardware acceleration out-of-order packet problem, significantly improved performance;

 0  * name="default" auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=30m pfs-group=modp1024
 
  0  D  ;;; XXX
       address=169.254.17.11/32 local-address=169.254.17.12 auth-method=pre-shared-key 
       secret="XXXXX" generate-policy=no policy-template-group=default exchange-mode=main 
       send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-128,3des 
       dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5 

What's new in 6.39rc51 (2017-Mar-10 12:50):

!) tile - fixed IPsec hardware acceleration out-of-order packet problem, significantly improved performance;

Peer proposal is phase1 and has nothing to do with hardware acceleration. Phase2 proposal can be selected in "/ip ipsec proposal" menu, this is hardware acceleration related.

Nathan1, what sort of speeds are you getting per flow, and how high is the latency between the devices? At least there is some progress...

Nathan1, what sort of speeds are you getting per flow, and how high is the latency between the devices? At least there is some progress...

Latency is .7ms RTT and I was seeing around 300Mbit, very similar to the ctr. Blasting UDP peaks around 350Mbit, in clear I can push 1Gbit. I was only able to briefly test so hopefully someone can confirm or deny what I am seeing so I know which direction to go.

Nathan1, what sort of speeds are you getting per flow, and how high is the latency between the devices? At least there is some progress...

Latency is .7ms RTT and I was seeing around 300Mbit, very similar to the ctr. Blasting UDP peaks around 350Mbit, in clear I can push 1Gbit. I was only able to briefly test so hopefully someone can confirm or deny what I am seeing so I know which direction to go.

We currently get ~2Mbit file copies over a 85ms link, so I'll take 300 any day! You mentioned EoIP - are you seeing more than one core being maxed out during the UDP test?

Nathan1, what sort of speeds are you getting per flow, and how high is the latency between the devices? At least there is some progress...

Latency is .7ms RTT and I was seeing around 300Mbit, very similar to the ctr. Blasting UDP peaks around 350Mbit, in clear I can push 1Gbit. I was only able to briefly test so hopefully someone can confirm or deny what I am seeing so I know which direction to go.

We currently get ~2Mbit file copies over a 85ms link, so I'll take 300 any day! You mentioned EoIP - are you seeing more than one core being maxed out during the UDP test?

You can do 300 with the software encryption without the rc fix. What settings are you using? I use EoIP and a single core does max out with software but not hardware.

We were unable to get GCM working with the particular Cisco ASA version we have on the remote end, so we've been stuck using hardware encryption (aes-128-cbc). Most of our use case is high latency low bandwidth so not sure we can add much to the discussion right now.

We do run some RB1100AHx2 with a 1Gb link between our primary and DR site (EoIP) which we were hoping to replace with CCRs at some point. I'll try replacing them with some CCR1009s next week (with the RC code) to see if they work any better.

So I did some additional testing, I can actually push around 800Mbit with a UDP flow and CPU usage is pretty good. However, when I run a TCP benchmark, CPU usage is very high (networking/cpu under profile) which I believe is constraining the TCP throughput now. I think I may have an issue with fragmentation/DF/MSS that I am looking into.

Edit: I have confirmed that there is some issue with fragmentation in my setup during the hardware IPSec test. It is not clear what is going on but if I force the TCP MSS on iperf, I can confirm heavily increased throughput nearing the UDP test. It seems the increased CPU usage is due to the CCR being forced to fragment/reconstruct the TCP packets.

TLDR: This fix looks like what we have all been waiting for.

So I did some additional testing, I can actually push around 800Mbit with a UDP flow and CPU usage is pretty good. However, when I run a TCP benchmark, CPU usage is very high (networking/cpu under profile) which I believe is constraining the TCP throughput now. I think I may have an issue with fragmentation/DF/MSS that I am looking into.

Edit: I have confirmed that there is some issue with fragmentation in my setup during the hardware IPSec test. It is not clear what is going on but if I force the TCP MSS on iperf, I can confirm heavily increased throughput nearing the UDP test. It seems the increased CPU usage is due to the CCR being forced to fragment/reconstruct the TCP packets.

TLDR: This fix looks like what we have all been waiting for.

That's interesting. Any chance of doing a single-threaded windows copy (explorer/robobocopy) test? Very interested to see if it beats our ~450mbps result on the RB1100AHx2.

So I did some additional testing, I can actually push around 800Mbit with a UDP flow and CPU usage is pretty good. However, when I run a TCP benchmark, CPU usage is very high (networking/cpu under profile) which I believe is constraining the TCP throughput now. I think I may have an issue with fragmentation/DF/MSS that I am looking into.

Edit: I have confirmed that there is some issue with fragmentation in my setup during the hardware IPSec test. It is not clear what is going on but if I force the TCP MSS on iperf, I can confirm heavily increased throughput nearing the UDP test. It seems the increased CPU usage is due to the CCR being forced to fragment/reconstruct the TCP packets.

TLDR: This fix looks like what we have all been waiting for.

That's interesting. Any chance of doing a single-threaded windows copy (explorer/robobocopy) test? Very interested to see if it beats our ~450mbps result on the RB1100AHx2.

I would but I can't do it easily - I don't have any windows machines in my infrastructure.

So I did some additional testing, I can actually push around 800Mbit with a UDP flow and CPU usage is pretty good. However, when I run a TCP benchmark, CPU usage is very high (networking/cpu under profile) which I believe is constraining the TCP throughput now. I think I may have an issue with fragmentation/DF/MSS that I am looking into.

Edit: I have confirmed that there is some issue with fragmentation in my setup during the hardware IPSec test. It is not clear what is going on but if I force the TCP MSS on iperf, I can confirm heavily increased throughput nearing the UDP test. It seems the increased CPU usage is due to the CCR being forced to fragment/reconstruct the TCP packets.

TLDR: This fix looks like what we have all been waiting for.

That's interesting. Any chance of doing a single-threaded windows copy (explorer/robobocopy) test? Very interested to see if it beats our ~450mbps result on the RB1100AHx2.

I would but I can't do it easily - I don't have any windows machines in my infrastructure.

Itcould be great if anyone with 72core router could verify if it work,too.

We have deployed this to a couple of small, low bandwidth remote sites (CCR1009) and are happy to report that the performance is now exactly what it should be. Will hopefully do some testing this week with more throughput but so far so good..

We have deployed this to a couple of small, low bandwidth remote sites (CCR1009) and are happy to report that the performance is now exactly what it should be. Will hopefully do some testing this week with more throughput but so far so good..

@Ascendo: What throughput do you get with IPSec on CCR1009?

@All: Does anyone use CCR1009 with EoIP and IPSec enabled with latest software? What throughput do you get in this situation?

~2Gbps TCP 1360MSS

~2Gbps TCP 1360MSS

~2Gbps TCP 1360MSS

Has anyone tried GRE over IPSec transport? Or SMB traffic on windows clients? That's been what we have had issues with.

Looking forward to this fix filtering down - I'll be sorely tempted to use current rather than waiting for bugfix....

Itcould be great if anyone with 72core router could verify if it work,too.

Has anyone tried GRE over IPSec transport? Or SMB traffic on windows clients? That's been what we have had issues with.

Looking forward to this fix filtering down - I'll be sorely tempted to use current rather than waiting for bugfix....

Itcould be great if anyone with 72core router could verify if it work,too.

Has anyone tried GRE over IPSec transport? Or SMB traffic on windows clients? That's been what we have had issues with.

Looking forward to this fix filtering down - I'll be sorely tempted to use current rather than waiting for bugfix....

I'm using GRE with IPSEC. Also SMB traffic with Windows clients. I was able to get the RC loaded on a 1072 and a few 1036 CCRs this weekend. Initial testing shows that I can do at least the amount of throughput on hardware as software encryption was doing (CBC vs CTR), so that is a big step in the right direction. I have yet to do a capture and check how the packet order is looking. I'll try to do that soon. I'm not seeing anywhere near the throughput in an encrypted tunnel as am I in the same tunnel with encryption turned off. I don't know if that is directly related to the CCR1072 (since Mikrotik specifically asked about verifying it).

So I'm not ecstatic yet about the results, but I see that you guys are getting much more so maybe I have some more tweaking to do.

Should I expect this to be fixed on CCR1009-8G-1S-1S+? I haven't had a chance to test yet, but I ask because i notice this model isn't listed for sale anymore.

These are the results that I got before I sorted out my MTU. The fragmentation will fry it. Have you confirmed that you aren't getting fragmentation over the tunnel?

These are the results that I got before I sorted out my MTU. The fragmentation will fry it. Have you confirmed that you aren't getting fragmentation over the tunnel?

So far as I can tell, this is not the case. However, if you made changes and got the performance expected, perhaps I am missing something. Any advice?

It is like in any other configuration, adding simple queues or software queues on interface will significantly reduce performance. Stream is classified before encryption and all actions with packets from that stream are done on the same core.

It is like in any other configuration, adding simple queues or software queues on interface will significantly reduce performance. Stream is classified before encryption and all actions with packets from that stream are done on the same core.

That makes sense. This issue does indeed seem fixed to me. Im unfamiliar with how the releases go here, will this fix get pushed down to the bugfix line 6.37.x at some point?

I should expect the bigger CCR models with higher core counts to achieve higher total bandwidth (than the 1009) then with IPSEC+Queues as it does spread the streams among the cores correct?

It is like in any other configuration, adding simple queues or software queues on interface will significantly reduce performance. Stream is classified before encryption and all actions with packets from that stream are done on the same core.

That makes sense. This issue does indeed seem fixed to me. Im unfamiliar with how the releases go here, will this fix get pushed down to the bugfix line 6.37.x at some point?

I should expect the bigger CCR models with higher core counts to achieve higher total bandwidth (than the 1009) then with IPSEC+Queues as it does spread the streams among the cores correct?

I wouldn't get your hopes up too much about the higher core CCR's, I see the exact same thing you are seeing throughput wise. I am on 6.39rc58 on all of my devices (CCR1036 core and CCR1016 remote sites), but unfortunately even after trying all of the different hardware encryption combinations (SHA1/SHA256 and AES-128/192/256 CBC) I still cannot obtain an upload speed greater than around 42Mbps, but more realistically it sits about the mid 30's. I've been dealing with this problem since June of 2013 and with these updates I finally thought to myself "oh thank god they've finally got the problem fixed and I'll actually be able to use the full potential of my fiber connections", but that is not the case. Even with the re-ordering problem "fixed", I have seen zero difference whatsoever in upload throughput. In fact, I still get higher upload throughput using the software encryption. Even if I completely disable my queue trees, I see no changes in throughput. I do understand that having some queues, firewall/mangle rules, and connection tracking enabled will degrade performance, but I'm not sure that is even the cause of my issues here. I can still sit here and watch the state sequence errors increase while I try to upload a large file. It shouldn't be a fragmentation issue either as I've got mangle rules set up on both ends for MSS. I desperately would like to find a fix for this.

@Jocksor, unfortunately I'm not using EoIP. I'm just using the basic IPSec in tunnel mode. On the IPSec wiki page, there are some optimizations for the RB1100AHx2 to set the irq's, would this help on the CCR?

@Jocksor, unfortunately I'm not using EoIP. I'm just using the basic IPSec in tunnel mode. On the IPSec wiki page, there are some optimizations for the RB1100AHx2 to set the irq's, would this help on the CCR?

I tried some of those 1100 optimizations on the CCR, but in my case it didn't really make a difference.

on the 1100 and on CHR x86 systems turning RPS off and assigning 1 CPU core per interface, and setting everything else to a core unused by interfaces seemed to greatly improve performance in my case. RPS actually seems to work correctly on the CCR, at least under crypto and with the latest RC software.

By the way on your CCRs, what are you seeing for your download speeds now?

@Jocksor, unfortunately I'm not using EoIP. I'm just using the basic IPSec in tunnel mode. On the IPSec wiki page, there are some optimizations for the RB1100AHx2 to set the irq's, would this help on the CCR?

I tried some of those 1100 optimizations on the CCR, but in my case it didn't really make a difference.

on the 1100 and on CHR x86 systems turning RPS off and assigning 1 CPU core per interface, and setting everything else to a core unused by interfaces seemed to greatly improve performance in my case. RPS actually seems to work correctly on the CCR, at least under crypto and with the latest RC software.

By the way on your CCRs, what are you seeing for your download speeds now?

Unfortunately, I can really only do a speed test in one direction at the moment until all of my other fiber circuits get turned up. Currently my main site has a 100/200Mbps fiber connection and one of the remote sites has a 40/100Mbps fiber connection, so I'm fairly limited in the amount of testing I can do. Interestingly enough, I can run a tcp bandwidth test from the main site to the branch and can get like 75Mbps, but an SMB upload from a Windows 8 machine only gets the 35Mbps like I was saying. I'm going to do some more testing with various types of uploads like from a linux box, ftp, robocopy, etc to see if maybe that's where I'm hitting the wall.

6.39.x = WTF??? Where??? When???

Unless I'm blind I didn't see it mentioned in the system -> packages brief release notes.

Hi guys.
Do you have to change MSS to 1360, to achieve max performance or you still have reordering issue, if you don't change MSS... ?