> > >> I'd love to work out what's different in your setup. Are we sure your >> gnutls is really using aes-ni? Can we compare with what the PA client >> does? > > If the output of > > cat /proc/cpuinfo | grep aes > > ..matches, and the output of > > Cat /proc/crypto | grep module > > includes the output "module : aesni_intel > > Does that mean "yes?" > > If "not necessarily," let me know how to query that. It means the hardware does. Not necessarily the particular piece of software we care about though. > (and just an academic question: Is GnuTLS involved in ESP traffic? Or is > that only SSL?) Yes, we use the crypto library for that. I'm insane, but not insane enough to do my own crypto. That's either OpenSSL or GnuTLS depending on which you built Openconnect against. >> As Dan asked, can you run OpenConnect and the PA client back-to-back on >> precisely the same setup? > > Unfortunately, no, that's not going to be doable on the exact same setup. > The baseline on which we are using OpenConnect (though it's the same > version of Linux) does not permit sudo UNTIL the tunnel is up. > Therefore, I cannot even install global protect on these particular VMs. > I'd only be able to do it on a different VM that's on the same cluster. Ok, you can't run GP on the real target machines... can you try Openconnect on the machine where you *do* have GP running? And can you run my artificial test on both? >>> I'd like to see if we have packet drops on the PA client's tun device, >>> and how much CPU it's using while it handles the traffic. > > Keep in mind that we see ZERO drops on the tun0 device at all. > > In other words, ifconfig and netstat -i output shows ZERO drops on either > the tun0 or eth0 interfaces. > > They only show up in netstat -s as UDP send buffer errors and IP Packets > Dropped. Didn't that change with my retry patch? I'd also be interested to see similar measurements while running netperf on the system running the GP client. -- dwmw2 _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
