I have a CHR with P1 license running on ESX 6.7. The router was running well, I was getting about 80mbps throughput via OpenVPN to an RB1100AH for several months. I did a software upgrade on my CHR and immediately after the speeds dropped to less than ~5Mbps and its very very inconsistent... Dropping to 300kbps and then up to 800kbps, etc. I downgraded to several different code versions and could not restore the performance. I do not remember the code versions, as this was several months ago. The resources to the box aren't even being touched, though I did give it more CPUS and RAM to test. I've upgraded to the latest stable today while doing some testing. No change in performance. I built a new CHR with trial P1 license using the latest OVA and have the same issue. I purchased a new hEX-S and put it in with the exact same code/config. I can now get about 40Mbps with it, with the CPU being the limit. I've tried everything I know to do in ESX world...I've tried giving the router the different interface types...vmnet3, intel E1000, etc. I've validated the vswitch is configured to the guide. None of my other VMs have performance issues.
I've opened a case with Mikrotik and haven't heard anything. Any ideas?
https://ibb.co/XsrNj78
https://ibb.co/1K6mbP2
Re: Slow OpenVPN
What is CPU load during "intensive" VPN use? If it's anything higher than a few %, what does profile show as process consuming most CPU cycles?
-
-
txpower501
just joined
- Posts: 10
- Joined:
Re: Slow OpenVPN
CPU is around 3 percent, ovpn being the highest.What is CPU load during "intensive" VPN use? If it's anything higher than a few %, what does profile show as process consuming most CPU cycles?
Re: Slow OpenVPN
Do you have a backup or export of your "good" config?
-
-
txpower501
just joined
- Posts: 10
- Joined:
Re: Slow OpenVPN
Yep, its literally the same config I'm applying to either router minus the platform differences. I've hidden passwords and where my tunnel is to. I'm only using a one-armed deployment because 1Gbps is plenty for what I'm doing. The 192.168.36.0/22 route is routing to a dynamic address that is obtained when connecting to the tunnel.
Code: Select all
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
/ppp profile
add change-tcp-mss=yes name=ovpn-encryption use-compression=no use-encryption=yes use-mpls=no
/interface ovpn-client
add cipher=aes128 connect-to=google.com max-mtu=1460 mode=ethernet name=ovpn-out1 password="12345" profile=ovpn-encryption user=ABCDEFG
/queue type
set 0 pfifo-limit=250
add kind=pfifo name=pfifo-2000 pfifo-limit=2000
/snmp community
set [ find default=yes ] addresses=192.168.35.20/32 name=NOPE
/system logging action
set 1 disk-file-name=log
/user group
add name=btest-group policy="test,winbox,!local,!telnet,!ssh,!ftp,!reboot,!read,!write,!policy,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp"
/ip firewall connection tracking
set enabled=no
/ip settings
set send-redirects=no
/interface detect-internet
set detect-interface-list=all
/ip address
add address=192.168.32.6/30 comment=FW1_eth1/3.2222 interface=ether1 network=192.168.32.4
/ip cloud
set update-time=no
/ip dns
set servers=192.168.35.20
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=192.168.32.5
add distance=1 dst-address=192.168.32.0/22 gateway=192.168.32.5
add distance=1 dst-address=192.168.36.0/22 gateway=172.16.32.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set domain=kshome.local interfaces=ether1
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/snmp
set enabled=yes trap-generators=interfaces trap-version=2
/system clock
set time-zone-name=America/Chicago
/system identity
set name=vpn1
/system logging
set 0 action=disk
set 1 action=disk
set 2 action=disk
set 3 action=disk
add action=disk topics=interface
add action=disk disabled=yes topics=ovpn
/system note
set note="*****************************************************************\r\
\n* !!!UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED!!! *\r\
\n* You must have explicit, authorized permission to access *\r\
\n* or configure this device. Unauthorized attempts and actions *\r\
\n* to access or use this system may result in civil and/or *\r\
\n* criminal penalties. All activities performed on this device * \r\
\n* are logged and monitored. *\r\
\n*****************************************************************"
/system ntp client
set enabled=yes primary-ntp=3.82.177.91 secondary-ntp=184.105.182.16
/tool graphing interface
add
/tool romon
set enabled=yes
/tool sniffer
set file-limit=50000KiB file-name=test.pcap filter-interface=ovpn-out1 \
memory-limit=200000KiB
-
-
txpower501
just joined
- Posts: 10
- Joined:
-
-
txpower501
just joined
- Posts: 10
- Joined:
Re: Slow OpenVPN [SOLVED]
I figured the reason this is not working correctly. I was building a new Ubuntu VM to run Pi-Hole on and noticed that when I did my ping to google that every echo packet was being duplicated. Kept testing...server to server was not being duplicated, but anything that hit my switch was. It has something to do with my NIC teaming on my ESX Host running active/active in LACP mode. I haven't dug into what is misconfigured, but simply shutting down one of the interfaces resolved the performance issue.
Who is online
Users browsing this forum: Google [Bot], techcomtecnico and 159 guests