We are running a CCR1072 as our core router (v6.41), with 3 IPsec site-to-site connections (SHA1/AES-CBC-128, should be HW accelerated). On the remote end there are CCR1036 routers.
What I noticed is with a very low average CPU utilization (1-2%), the IPsec tunnels are maxed out at around 200Mbits total (all 3 tunnels combined), and a single CPU core is running 100% all the time.
I did a profiling test on that core, and it was 60-65% "networking" and 25-30% "firewall". Which is strange as we dont have any firewall rules, not doing any NAT.
I tried to disable conn. tracking, but the load was not lowered. The filter, NAT, mangle and RAW tables are empty, the core router only does IPsec (policy based) and simple routing. No queues either. On the WAN interface I can also see excessive RX overflow which also indicates that the router is not able to process the incoming packets fast enough due to some limitations.
I am not even sure if this is an IPsec limitation, but something is clearly not right. The tunnels are working fine by the way, the only problem we have is the severe speed limitation.
If someone has any idea what to check or try, please let me know, cause I ran out of ideas at this point.
Thanks!
Solution:
Do NOT use the single gigabit copper port on the CCR1072 for traffic, only for management!
This is not stated in any official Mikrotik documentation, but someone in the past had the same issue, and this was the response form Mikrtoik support:
More infos:Hello,
Please check the block diagram:
https://i.mt.lv/routerboard/files/CCR10 ... 130622.png
ether1 is connected to a PCIe controller and it was designed that way since ether1 was only intended to be used as a management port.
rx-overflow counter is increasing when you have a faster device (or link) sending too much data into a slower interface. This is expected.
The solution is not to use ether1 for data links.
Best regards,
Arturs Z.
https://community.ubnt.com/t5/airFiber/ ... -p/2054839
UPDATE (2018.01.07.):
Mikrotik updated the product page of CCR1072, now the limitation of the copper ethernet port is clearly stated:
"the CCR1072 is equipped with eight independently connected 10G SFP+ ports and single Ethernet port for management purposes."