Am 15.09.2017 um 19:27 schrieb Noel Kuntze: > Hi, > > I guess ksoftirqd is rotating and kworker, too? If that's the case, you're > suffering from > an extremely disadvantageous distribution of ESP packets.
Hmmm. I did not see all CPUs are saturated. Only two CPUs are under load and the soft-irqs are under 5%. kworker is under 5% too. > You need to set the number of RX and TX queues on the card to the number of > cores and > use RSS to distribute the SAs correctly over all queues. Bind one RX and one > TX queue to one core each. What tool to I use for this? > Then use AES based ciphers, so you can use AES-NI. You can then get line > speed per CHILD_SA. > > Pcrypt has some overhead due to synchronisation, so if your setup's > performance problem is not caused > by cipher execution time, pcrypt will not improve the situation. What bothers me is, that the throughput is decreasing. I can accept the due to synchronisation the throughput is not increasing, but decreasing? > Use aes128gcm8. aes256gcm16 causes unnecessary overhead and costs more > performance. Which ciphers do you suggest/recommend? Do you know a working configuration that I can use as a reference? > Disabling replay protection does not improve performance. Ok, I did read about this in some posting, so I tried this too. Regards Sven Anders -- Sven Anders <and...@anduras.de> () UTF-8 Ribbon Campaign /\ Support plain text e-mail ANDURAS intranet security AG Messestrasse 3 - 94036 Passau - Germany Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55 Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. - Benjamin Franklin
<<attachment: anders.vcf>>