> I'd love to work out what's different in your setup. Are we sure your > gnutls is really using aes-ni? Can we compare with what the PA client > does? If the output of cat /proc/cpuinfo | grep aes ..matches, and the output of Cat /proc/crypto | grep module includes the output "module : aesni_intel Does that mean "yes?" If "not necessarily," let me know how to query that. (and just an academic question: Is GnuTLS involved in ESP traffic? Or is that only SSL?) > As Dan asked, can you run OpenConnect and the PA client back-to-back on > precisely the same setup? Unfortunately, no, that's not going to be doable on the exact same setup. The baseline on which we are using OpenConnect (though it's the same version of Linux) does not permit sudo UNTIL the tunnel is up. Therefore, I cannot even install global protect on these particular VMs. I'd only be able to do it on a different VM that's on the same cluster. >> I'd like to see if we have packet drops on the PA client's tun device, >> and how much CPU it's using while it handles the traffic. Keep in mind that we see ZERO drops on the tun0 device at all. In other words, ifconfig and netstat -i output shows ZERO drops on either the tun0 or eth0 interfaces. They only show up in netstat -s as UDP send buffer errors and IP Packets Dropped. _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
