CCR Single Stream TCP through Tunnel very slow (355KB/s)

moep · December 14, 2016, 6:32pm

Hello everyone,

I have a problem regarding CCR tunnel (upload) speeds.
I have a dual wan setup.
wan1 is 10Mbit/s up and 50Mbit/s down
wan2 is 25Mbit/s up and 200Mbit/s down
there is remote site connected with two ipsec tunnels to the main site (one to wan1 and one to wan2)
inside these tunnels there is an IPIP tunnel which runs ospf
there are policy routing rules to send specific traffic over the wan2 ipip tunnels (namely SMB traffic)

before v6.37(.3) I had an OVPN tunnel in place instead of IPsec which was easily capable of pushing the 25Mbit/s upload to the remote side.
now there is IPsec in place an the speed drops to (best case) 355KByte/s / 2,x Mbit/s

strange thing is, if i change the tunnel back to ovpn it stays at the same speed. does anybosy else also has this problem?

moep · December 17, 2016, 5:37pm

the other end is RB3011
i tried to disable hardware accleerated ciphers (switched to AES-CTR) but nothing changed
i even swtched back again to ovpn but single stream performance is still abysmal

BlackVS · December 18, 2016, 5:34am

Due to single TCP stream my question is what is the ping delay between sites?
Search forum on “CCR reordering packets problem” and change from hardware coded encryption (CBC) to the software one (for example CTR or Camelia) (there are no more solutions known to fix this at this moment)

moep · January 13, 2017, 10:09pm

The delay is normal at around 50ms

It worked!
I changed the cipher from AES256-CBC to AES256-CTR an left everything else the way it was. Now I get full speed (with obviously increased CPU load)
I hope this gets fixed soon.

alexjhart · February 9, 2017, 10:07pm

I agree
Related thread for others on this issue: http://forum.mikrotik.com/t/is-re-ordering-fixed-yet-with-ipsec-and-hardware-acceleration-updating-thread/101814/1