Hello,

I've been doing some testing with a new IPSec deploypment using RB1000 with 20MBits WAN in one end and RB450G with 100/10 FTTH in the other. Enabling "Clear DF" in RB1000 cuts performance in halve, in my case from nearly 15MBits/s to somewhere around 8MBits/s. CPU at RB1000 sits below 5% and RB450g it's below 35% (has no hardware acceleration for IPSec).

If I upload just one file using FTP I can see that ~50% performance drop, but if I upload more files at once the performace drop is LOWER, i.e. uploading 4 files sees only a ~35% reduction in upload speed.

Is that an expected behavior?
Thanks!

Just to clarify some points:

- Traffic is uploaded from RB1000 to RB450G: RB1000 encrypts IPSec and RB450G decrypts it.
- The Magle rules decreases performance even if the traffic is not matched by the rule. Just having the rule there drops performance.
- This probles ONLY affects IPSec flows. Using the same setup but accessing FTP using the external/real IP's has no drop in performance.
- The mangle rules are applied in only RB1000
- I have no other settings in these routers beside the minimal setup for the IPSec tunnel, a couple of autocreated changeMSS and a masquerade rule in RB450G.

Thanks!

What RoS version are you using?

RB1000 v5.25
RB450g v6.0

I'll upgrade RB1000 to v6 in a while and test again.

RB1000 v5.25
RB450g v6.0

I'll upgrade RB1000 to v6 in a while and test again.

Frankly I wouldn't. I would use 5.25 on both until further notice from Mikrtoik staff.

EDIT: I'm seeing the exact same problem on my RB1100U, I just couldn't connect it to anything until now. If I disable all mangle rules except automatic ones router drops CPU load for cca. 25%. I could also get 100% CPU easily just by sending some data from one port to another (different subnets). Do you also have any firewall logging rules?


br,

bysaRD

Hi,

No, I have no logging rules, just te bare minumum for this test. As this is a test environment I can up or downgrade freely so I'm going to do it now and test it again.

thanks

Update:

- It works ok with RouterOS 6.0 in RB1000.
- Downgraded to v5.25 with the same config and I got a performance drop of ~50%
- Under v5.25, changed encryption algorithm from AES-128 to Camellia-128. There was NO performance drop at all (but CPU usage rised to ~20% as only AES is hardware accelerated)
- Upgraded RB1000 to v6.0 again, Camellia-128 performance slightly lower than v5.25, AES-128 performance was perfect (no performance drop at all)

(my) Conclusions:

There's a problem in v5.25 (and possibly with other v5.xx firmwares) with the hardware-accelerated encryption engine of the RB1000 when using AES algorithm for IPSec and Mangle rules (tested with Clear DF and Change MSS) which causes a performance drop of ~50% but it is solved in v6.0. Don't use v6.1 for IPSec as it has some known bugs (which are announced to be resolved in v6.2).