On Tue, Mar 23, 2010 at 6:32 AM, Timothy O'Keefe <timothy.okeefe@xxxxxxxxx> wrote: > Hi all, > > The Problem: > > After a while -- say a few days/weeks -- of having this tunnel > established, transactions through this tunnel slow down to a crawl. To > the point where requests will typically timeout. Establishing a brand > new tunnel alongside the slowing tunnel seems to work fine. I don't > see anything particularly wrong with the endpoint systems other than > that sshd on the ssh gateway is consuming about 1.4 MB of virtual > memory. While this does not pose any threat to the machine per se, it > does seem a bit strange to me. The problem is essentially that TCP tunnels over a TCP transport are a bad idea. Eventually you get a cascading effect that will slow things down substantially to the point where it becomes essentially useless and you'll have to rebuild the tunnels. This is why most VPN and tunnelling solutions work over UDP or their own IP protocol rather than across TCP. For practical purposes, the only way to really take care of the issue is to run scripts that will tear down and recreate the tunnel at set times. The other alternative is to use a tunnelling method that uses UDP or some other protocol. > I'm curious as to what might be happening here, and what -- if > anything -- we can do about it. I've heard from a number of folks that > ssh tunnels for this purpose are a "bad idea" and that we might > consider a connectionless OpenVPN based solution. This is 100% fine, > however no one has been able to explain _why_ the tunnel slows down > which happens to be precisely what interests me. Can someone provide > me with any insights? For a good explaination of why this happens and how to resolve it from a network point of view, you can see the following PDF. http://docs.google.com/viewer?a=v&q=cache:TqsO7Bi6-1AJ:citeseerx.ist.psu.edu/viewdoc/download%3Fdoi%3D10.1.1.21.7007%26rep%3Drep1%26type%3Dpdf+TCP+tunnels+over+TCP+networks+performance&hl=en Hope that helps.