[strongSwan] ksoftirq thread reaching 100%

Martin Willi martin at strongswan.org
Mon Mar 31 13:00:42 CEST 2014


> Has anyone else seen this problem with the ksoftirq thread reaching 100%?
> Is there anything that can be done to alleviate this problem?

The kernel handles ESP data path processing in this thread, and it is by
default limited to the single core that processes NIC interrupts. So you
basically just hit the encryption rate limit on your kernel.

> The box has a gig ethernet card (a Broadcom NetExtreme II), and is
> handling maybe around half its capacity.

This is actually what you can expect from todays commodity hardware
without further tweaks.

> I have seen this on boxes with aes-ni enabled and also disabled
> The cipher suite chosen is AES-128

AES-NI is quite powerful and should allow you to increase your
throughput. However, running AES in GCM mode is preferable, as using a
traditional HMAC integrity function could become the bottleneck

If that doesn't help, you might consider using parallelized ESP
processing [1], allowing you to take advantage of a multi-core system.



More information about the Users mailing list