IPSec tunnel in one direction it is very slow

kalibso · January 27, 2017, 6:53pm

Hi,
I have two IPSec tunnels. First RB1100AHx2 (R1) to RB962UiGS (R2) and second RB1100AHx2 (R1) to RB962UiGS (R3). Bandwitch is R1 100/50mbps, R2 40/20mbps and R3 ~20/20mbps.
I have this same speed traffic issue on both IPSec tunnels.
Tunnel speed R2 → R1 and R3 → R1 is something about 20mbps and it very nice. But traffic in the opposite direction R1 → R2 and R1 → R3 is max 2mbps and it is too slow.
I can give more details if it will be necessary.
Please help!

Best regards,
Paweł

Van9018 · January 27, 2017, 7:45pm

Go to Tools > Profile in Winbox. Does it show a high CPU? It should list the process with high CPU as well, like ‘encryption’. Do you have high cpu when it’s slow?

kalibso · January 27, 2017, 11:30pm

Thanks for answer.
If I copy data with “correct” transfer (20mbps) RB962UiGS has 35-45 encrypt. I think it is correct.
But If I copy data with “bad” transfer (2mbps) RB962UiGS has max 5 encrypt and 75-90 unclassified value (what is it?).
RB1100AHx2 has all timie 0-4 encrypt.

Br,
Pawel

Van9018 · January 28, 2017, 7:19pm

Upgrade your packages to the latest. Recently Mikrotik made improvements to the profile tool. I too showed 4% encryption and 90% unclassified, then after upgrade to packages it showed 95% encryption during IPSec. My issue was from very many dropped packets, which was a result from the modem advertising itself as 10M full duplex. Reboot the modem solved my issue, modem went back to 10/100/1000.

Under interfaces, edit your wan interface go to stats. Does it list dropped packets? A seperate issue for me was a bad port on my Mikrotik, and I had a high CRC mismatch count.

kalibso · February 17, 2017, 3:34pm

Hey,
thanks for answers.
I observe and testing my IPSec tunnel. I noticed that problem is mainly with SMB protocol. Because I make Bandwith test mikrotik to mikrotik (internal interfaces) and result was something about 20/20Mbps. I downloaded data from QNAP nas via https protocol and speed was about 10Mbps. I done also ftp tests, and result is 8[rb1100ah->RB962U]/20[RB962U->RB1100ah].
So, this problem regards smb, and what I do wrong?

Ps. RB1100AH → I have plug in WAN in eth1. it’s nat for my computers network and ip for IPSec connections.

BR,
Paweł

mikruser · February 22, 2017, 10:09am

Its a well-known problem with mikrotik ipsec tunnels.
Mikrotik ipsec tunnels are not compatible with Windows.

BlackVS · February 22, 2017, 4:03pm

Agree. But it exists in CCR. Not 1100ah or HAP AC.

Again can be true if consider CCR. But can be fixed by switching to the software implemented encryptions, for example AES-CTR, Camelia.

Qustion to topicstarter - what is the ping between sites?
Beacuse SMB is not Internet oriented protocol and very sensitive to ping.
Google on “TCP Window Size perfomance” and check TCPWindowSize on your NAS.