On Thu, 2019-03-07 at 21:57 +0000, Phillips, Tony wrote: > Hey, folks. > > We're using openconnect 8.02 on RHEL 7.4 VM, with a Palo Alto 5060 > firewall as the GP gateway. > > The VM is outfit with 32GB RAM, 4 vCPUs, and the host is quad-gig > attached to the network. There's ample bandwidth between the > locations (20g+) with roughly 2ms latency between endpoints. > > We're using IPSec protocol. > > We're observing what I think would be rather poor throughput across > the VPN. It takes ~9 minutes to read or write a 1GB file so that's > about 15mb/second. > > Is that what we should expect? I thought a saw a thread where > someone was getting 300mb/sec on an Intel Atom, and he're I'm getting > 15 on an Intel XEON. A while back, I did some profiling of openconnect talking to ocserv over a local 1G network, and fixed a handful of bottlenecks there (mostly needless packet copies and poor buffer handling). We basically got it down to the point where the major overhead was pushing the packet up to userspace for encryption, then back down to the kernel. The first step I'd suggest would be to run the client in 'perf' and see where it's spending its time. And since you're using IPSec, you might experiment and see if you can actually use the kernel for that, to see if that makes a difference. Also check that neither end is dropping out-of-order packets. We've seen that with Cisco before now. I used to get faster uploads when I *dropped* one of my dual ADSL lines, and used only one.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
