On 12/31/20 12:15 PM, Franco Fichtner wrote: > https://cgit.freebsd.org/src/commit/sys/crypto/aesni?h=stable/12&id=95b37a4ed741fd116809d0f2cb295c4e9977f5b6 > > may have subtly broken a number of IPsec installations by stalling active > connections after certain amounts of traffic transferred. We're still > trying to confirm, but it looks like this had an overall impact on 12.0 > and 12.1 except that only one person in OPNsense traced it back to aesni.ko > to our knowledge to effective work around an apparent issue there. > > If that is not the actual fix, the problem still exists in 12.2 and onward ;) We don't support AES-CCM for IPsec, so there is 0 chance that commit has any effect on IPsec in 12. There's not much detail in the forum posts though (e.g. netstat -s output to get ipsec, esp, and ah stats). Also, at least one forum post mentioned it happened when doing an upgrade from 11.2 to 12.1 which is a larger set of changes. I know the pfsense folks had a major performance regression due to iflib with Intel e1000 devices that might manifest as this perhaps? Disabling aseni might just be throttling the connection slow enough to avoid hitting a bug in a NIC driver for example. I think netstat -s would be a better place to start to try to debug this. > https://github.com/opnsense/core/issues/4415 -- John BaldwinReceived on Thu Dec 31 2020 - 21:51:50 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:26 UTC