On Sat, Dec 28, 2019 at 1:53 PM Carles Pina i Estany <carles@xxxxxxxx> wrote: > I'm using openconnect from Debian (Debian package version 8.02-1) > connecting to a Cisco AnyConnect. I'm using NetworkManager but I'm happy > to use the command line if this would help. > > I see that openconnect uses about 35 to 40% of CPU (measured with top) > in my 4 cores laptop. 35-40% of a *single* core, I presume? What CPU? I assume it's something relatively modern featuring the AES hardware acceleration (e.g. http://wikipedia.org/wiki/Special:Search/AES-NI). You should be able to verify the CPU features with `cat /proc/cpuinfo | grep aes`, and `gnutls-cli --benchmark-ciphers` should show much higher throughput for AES-based ciphers. > The internet connection or even the upload speed to the other side is > higher if no OpenConnect is used. What is the alternative to using OpenConnect which you are comparing against? Cisco's official AnyConnect client for *Linux*? Or its client for *Windows*? > Any MTU that might help? (e.g. I see that my wlan0 has mtu 1500 and vpn0 > is mtu 1200), or some othe rideas? Incorrect MTU could lead to fragmentation or packet loss which affects VPN bandwidth or latency… but shouldn't have much of an effect on CPU usage (OpenConnect's CPU usage should be pretty small, and doubling it due to high fragmentation should still be small). Are you experiencing packet loss with the OpenConnect connection, or just lower-than-expected bandwidth? > any way to verify that DTLS is being used and parameters? (using > Anyconnect is faster, and DTLS is used there) (it's about 20% to 40% > faster... but sometimes it gets disconnected) > Error: any valid prefix is expected rather than "dev". > > The connection works, the speed is similar. DTLS seems enabled. > > I'll play with some settings (e.g. disabling compression, dtls-ciphers, > etc.). If I get anything better I'll pass it here. The log excerpt you sent (“Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-256-CBC)-(SHA1).”) shows that DTLS is being used, with the bog-standard cipher configuration for older Cisco servers. There's no compression option allowed by the server here; compression would be indicated in this line if present. `--dtls-local-port` is also not relevant here: it's unnecessary unless you're behind some kind of router/middlebox that might limit the ports on which you can send UDP packets. I can't think of a plausible way in which such a middlebox would lead to high CPU usage, in any case. -Dan _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
