Community discussions

MikroTik App
 
R0bert
just joined
Topic Author
Posts: 4
Joined: Mon Jul 13, 2015 4:32 pm

GRE over IPsec samba performance

Mon Jul 13, 2015 4:56 pm

Hello!
We have network issue with extremely slow copy speed via GRE or IPIP IPsec tunnel. After upgrade to latest firmware version 6.30 we observed better copy speed via SCP on linux machines. But if we try to copy any files via SMB on Windows machines – speed is extremely slow.
If we turn off IPsec, we observe very good speed, as fast as ISP connection speed limit. We use on both sites CCR1036-8G-2S+
GRE MTU 1426
Don’t Fragment: no
Clamp TCP MSS is on
IPsec hash algorithm sha1, encryption algorithm aes-128
We also tried mangle rule, that changes TCP MSS in gre tunnel to 1300 – nothing changes.
It is possiple that issue is still with reordering packets.
Sites are remotes and round trip time is about 120 ms.
We also tried to change GRE MTU to 1400 without and with Mangle rule that changes MSS to 1300 - nothing happened.
Any ideas?
 
Duduhandelman
Frequent Visitor
Frequent Visitor
Posts: 89
Joined: Wed Jan 04, 2012 5:30 pm

Re: GRE over IPsec samba performance

Mon Jul 13, 2015 9:41 pm

To make it short don't use smb over wan.
It's a protcol which is waiting for samba acks (not tcp acks).
The only way that i know to uae samba over high latency wan is traffic acceleration.
It change the tcp to udp transparently.

You can try traffic squeezer or xpand networks.

Good luck.
 
R0bert
just joined
Topic Author
Posts: 4
Joined: Mon Jul 13, 2015 4:32 pm

Re: GRE over IPsec samba performance

Mon Jul 13, 2015 10:16 pm

But it works good at the same gre tunnel with the same latency only without IPsec.
Additionally samba works fine if on one site Mikrotik and on the other site Cisco router, even with IPsec.
 
R0bert
just joined
Topic Author
Posts: 4
Joined: Mon Jul 13, 2015 4:32 pm

Re: GRE over IPsec samba performance

Tue Aug 04, 2015 10:15 am

Any ideas?
 
User avatar
doneware
Trainer
Trainer
Posts: 565
Joined: Mon Oct 08, 2012 8:39 pm
Location: Hungary

Re: GRE over IPsec samba performance

Tue Aug 04, 2015 12:12 pm

If we turn off IPsec, we observe very good speed, as fast as ISP connection speed limit. We use on both sites
here are some generic answers.

packet reorder can kill IPSEC performance.
and fragmentation as well.

check /ip ipsec stat for "state-sequence-errors". if there are many, you have out of order packets arriving in ESP which then will be dropped, but their contents will be missing later in the host at TCP level.

what kind of IPSEC mode are you using? transport or tunnel? transport produces less overhead, so it is less likely to get into situations where the encrypted packet which leaves your router needs to be fragmented.

what is your outgoing interface's MTU? 1500 bytes?

w/o apices your GRE or IPIP encapsulated packets will be only 1446 bytes, this can be forwarded anywhere.
use this link to calculate the real packet sizes: https://cway.cisco.com/tools/ipsec-over ... -calc.html
or you can just capture one outgoing packet using tool sniffer on the WAN interface to see how it leaves the router (in one piece or fragmented).

if it's tunnel mode, at the end you will have 1512 bytes which is too big for the standard 1500byte "internet" mtu. transport mode goes by 1496 bytes, but if you have PPPoE on the link towards the internet, it may be a problem.

as i see, with tcp mss of 1300 there won't be any issue anyway - of course with TCP.
but UDP traffic will be subject of fragmentation anyway if it comes from the lan, where the MTU is 1500, and if the packet is bigger than the MTU on your GRE tunnel (1426).
#TR0359
 
R0bert
just joined
Topic Author
Posts: 4
Joined: Mon Jul 13, 2015 4:32 pm

Re: GRE over IPsec samba performance

Tue Aug 04, 2015 1:15 pm

statistics of IPsec:
in-errors: 0
in-buffer-errors: 0
in-header-errors: 0
in-no-states: 66442
in-state-protocol-errors: 178330
in-state-mode-errors: 0
in-state-sequence-errors: 0
in-state-expired: 0
in-state-mismatches: 0
in-state-invalid: 3986
in-template-mismatches: 7461
in-no-policies: 418715
in-policy-blocked: 0
in-policy-errors: 0
out-errors: 0
out-bundle-errors: 0
out-bundle-check-errors: 0
out-no-states: 1900866
out-state-protocol-errors: 5882
out-state-mode-errors: 0
out-state-sequence-errors: 0
out-state-expired: 5882
out-policy-blocked: 0
out-policy-dead: 0
out-policy-errors: 0
Tunnel mode transport. Outgoing interface MTU 1500 bytes. MTU on GRE interfaces 1426 with clamp TCP MSS option enabled. I also tried to change tcp mss to 1400 and 1300 by mangle rule - the same issue.
 
alexjhart
Member Candidate
Member Candidate
Posts: 195
Joined: Thu Jan 20, 2011 8:03 pm

Re: GRE over IPsec samba performance

Thu Dec 17, 2015 6:17 pm

I have similar setup and see similar results. I was given the same advice too, yet already implemented it with no improvement as well.
-----
Alex Hart

The Brothers WISP
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: GRE over IPsec samba performance

Thu Dec 17, 2015 6:51 pm

It sounds like you're pegging the CPU.

When you have the hybrid Mikrotik/Cisco link and it works well, try transferring a file in the opposite direction to see if the speed falls off or stays good. Whatever the case, watch the CPU of your Mikrotik while the transfer is taking place.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
alexjhart
Member Candidate
Member Candidate
Posts: 195
Joined: Thu Jan 20, 2011 8:03 pm

Re: GRE over IPsec samba performance

Thu Dec 17, 2015 8:25 pm

It sounds like you're pegging the CPU.

When you have the hybrid Mikrotik/Cisco link and it works well, try transferring a file in the opposite direction to see if the speed falls off or stays good. Whatever the case, watch the CPU of your Mikrotik while the transfer is taking place.
My case is CCR1036 to CCR1036. 0ms latency (10ft ethernet between ether10 on each). I had clamp-tcp-mss already set on the tunnel, I was using iperf3 with MTU flag set to 1300, all tests are affected (smb, iperf, http, etc).

I tried changing the MTU to 2000 and L2MTU to 3000 in my lab setup between physical interfaces (ether10) and turned off clamp-tcp-mss on GRE tunnel since all other interfaces involved are now below the GRE tunnel MTU (1926). I still see 25% more packet loss with UDP test and my SMB still drops 10x from 750Mbps (with encryption turned off) to 75Mbps (with it on).

No core when testing exceeds 20% load. Profile shows 90+% idle and no process using more than 3%.

At least in my case, I am pretty confident I am not hitting the limit of the CPU or the hardware encryption.

While mrz says it could be the driver (http://forum.mikrotik.com/viewtopic.php?t=83478#p428663 http://forum.mikrotik.com/viewtopic.php?t=84465#p454773 http://forum.mikrotik.com/viewtopic.php ... 28#p498988), Maris via support email tells me "Driver is already improved. You need to avoid fragmentation. If it is UDP traffic you need to send smaller packets like 1450 or less. If it is TCP you need to reduce MSS, it could be done with change-mss mangle rules."
-----
Alex Hart

The Brothers WISP

Who is online

Users browsing this forum: genPSI, Google [Bot], Kanta and 91 guests