[Openvpn-users] UDP Packet Loss on OpenBSD

Darryl Wisneski Thu, 24 Jul 2014 19:30:12 -0700

Howdy:

We've been dropping UDP packets on a busy UDP OpenVPN.  We are running
on OpenBSD 5.5 release with very little tuning.  It's brand new HW with
AESNI capable processors, 4 core, and 32GB RAM.  We have a 100Mbit/s
symmetric pipe on our circuit.  We have tested network cables.  We have
about 80 users.


We see the UDP 'dropped due to full socket buffers' counter increase
and we hear the VOIP packet loss.  

> while true ; do netstat -s -p udp |grep "dropped due to full socket"
; date; sleep 2 ; done
Thu Jul 24 12:11:26 EDT 2014
        888340 dropped due to full socket buffers
Thu Jul 24 12:11:28 EDT 2014
        888340 dropped due to full socket buffers
Thu Jul 24 12:11:30 EDT 2014
        888340 dropped due to full socket buffers
Thu Jul 24 12:11:33 EDT 2014
        888355 dropped due to full socket buffers
Thu Jul 24 12:11:35 EDT 2014
        888360 dropped due to full socket buffers
Thu Jul 24 12:11:37 EDT 2014
        888360 dropped due to full socket buffers

Here we see the socket queues; I can at will make the recv-q build a
queue if I run an iperf of the given tunnel.  The recv-Q will at times
be non-zero, and we don't drop UDP packets.  Always when packets drop,
Recv-Q is not zero.

netstat -an |head [snip] Active Internet connections (including
servers) Proto   Recv-Q Send-Q  Local Address          Foreign Address
(state)
> while true ; do netstat -an | grep -v ' 0      0' |egrep -i 'UDP' ;
date; sleep 2 ; done
Thu Jul 24 12:11:30 EDT 2014
udp        900      0  xx.xx.173.xx.443     *.*                   
Thu Jul 24 12:11:33 EDT 2014
udp       6387      0  xx.xx.173.xx.443     *.*                   
Thu Jul 24 12:11:35 EDT 2014
udp        354      0  xx.xx.173.xx.443     *.*

This is set on pf.conf:
match in all scrub (no-df max-mss 1400)

We have dropped packets with queueing turned off.

Operating system: OpenBSD 5.5

OpenVPN installed from pkg
> pkg_info |grep openv
openvpn-2.3.2       easy-to-use, robust, and highly configurable VPN

> openvpn --version
OpenVPN 2.3.2 x86_64-unknown-openbsd5.5 [SSL (OpenSSL)] [LZO] [eurephia] [MH] 
[IPv6] built on Mar  5 2014
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <[email protected]>
Compile time defines: enable_crypto=yes enable_debug=yes enable_def_auth=yes 
enable_dlopen=unknown enable_dlopen_self=unknown 
enable_dlopen_self_static=unknown enable_eurephia=yes 
enable_fast_install=needless enable_fragment=yes enable_http_proxy=yes 
enable_iproute2=no enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no 
enable_management=yes enable_multi=yes enable_multihome=yes 
enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes 
enable_pkcs11=no enable_plugin_auth_pam=no enable_plugin_down_root=yes 
enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes 
enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no 
enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes 
enable_strict=no enable_strict_options=no enable_systemd=no 
enable_win32_dll=yes enable_x509_alt_username=no with_crypto_library=openssl 
with_gnu_ld=no with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' 
with_sysroot=no

server configuration:

dev tun0
proto udp
port 1195
local xx.xx.173.xx
server 10.0.4.0 255.255.255.0
ca /usr/local/etc/openvpn/ca.crt 
cert /usr/local/etc/openvpn/int.crt 
key /usr/local/etc/openvpn/int.key 
dh /usr/local/etc/openvpn/dh4096.pem
push "route xx.xx.173.xx 255.255.255.240"
topology subnet
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
group nobody
daemon
crl-verify /usr/local/etc/openvpn/crl.pem
script-security 3
cipher AES-256-CBC
auth sha256
tls-server
client-config-dir /usr/local/etc/openvpn/ccd
mssfix 1300
status /usr/local/etc/openvpn/status.log
duplicate-cn
log-append /usr/local/etc/openvpn/openvpn.log
verb 4
tls-auth ta.key 0
auth-user-pass-verify /usr/local/etc/openvpn/ldap_bind.py via-env
client-connect /usr/local/etc/openvpn/connect.sh
client-disconnect /usr/local/etc/openvpn/disconnect.sh
sndbuf 32000000
rcvbuf 32000000
nice -6

client configuration:

client
dev tun
proto udp
remote xx.xx.173.xx 1195
nobind
persist-key
persist-tun
ca ca.crt
cert user.crt
key user.key
comp-lzo
verb 3
mssfix
cipher AES-256-CBC
replay-window 1024 60

log file: it's huge at verb 10 for 10 seconds with one user, > 2mb gzipped.
http://d.tweal.org/openvpn.log.gz

Thanks,
-dkw

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] UDP Packet Loss on OpenBSD

Reply via email to