[strongSwan] High latencies

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Tue Sep 19 19:08:09 CEST 2017


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Likely has to do with pmtu discovery. You can use tcpdump and alike to try to figure out what
actually happens on the network or continue wondering about what the strange machines do.

On 19.09.2017 18:15, Turbo Fredriksson wrote:
> On 19 Sep 2017, at 16:00, Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote: > >> Check the tcp metrics (ip tcp_metrics) and look at the MSS. > > There’s no metrics at all related to mss on either of the VPN instances: > > root at jumpbox-london:~# ip tcp_metrics | grep -i mss > root at jumpbox-london:~# > > root at jumpbox:~# ip tcp_metrics 2>&1 | grep -i mss > root at jumpbox:~# > >> MSS likely found out the right MSS very quickly with the lower MTU. >> Other than guessing, I can't help you, because I have no access to your environment. >> I doubt anybody else can do anything else than that. > > Well, the MTU was done more than ten minutes before the > iptable rules and it still didn’t work.. > > I even tried restarting the tunnel. Didn’t work, I added the iptable rules, > tested - didn’t work. I then reverted those changes and THEN it worked. > For a very brief period. > > > I can even reproduce it! > > 1) Set MTU 1500 on all hosts > 2) Add the iptable rules > 3) Set the MTU to 9001 on all hosts > > But > > 1) Add the iptable rules > > alone doesn’t work! But
“kick” the MTU back and forth, and it works. I’m going > to leave it for a while to see if it’s permanent. It’s been working for several minutes > now! :) > > Yeah, still works. Spooky! > > > > On 19 Sep 2017, at 16:08, Simon Deziel <simon.deziel at gmail.com> wrote: > >> You mentioned EC2 so please double check that your Security Group let >> ICMP go through. > > Checked and double checked. All instances allow ICMP ingress and egress. > > > > On 19 Sep 2017, at 16:12, Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote: > >> Now that you mention it: Also check the Network ACLs > > I haven’t modified any NACLs. They’re all standard - allowing everything. -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEENSSTvrX3jmMTcq8t9U7kCwc5rWwFAlnBTvgACgkQ9U7kCwc5
rWzeLxAAolhfTdSyA1pSDzQ6gyRWRU90sL1/DIpjd1Y3KJsz1lsYthtv/Dfs/K7I
yHo/ulCVj5S581gLsqxuyO98VmTD3IThUqcqDjhOhyyPMEud2guMFMMwmFD4vOGR
vNhbZg82RU/R+uFQA49/cL+whBLM0SF+12Z3pw7USKNKhSxBzBtidsxQG+EVyHpl
ZZIJ0bIxOGIl1Y5ET5GojWDvIYvAgPtFt1Lg+QQEL25aOz2QDxq5smnkrvNCXk+/
vNrLW1fN+f46qb8rEiUUefch6gIvosZisurCY89f3oasJM5u8tZWO03rqs5W7Hxy
ZHmm3MMBEKKqFPaPFsbhJTxox1hN6qXrLn7yls+EA7Rtx3eFIg0Y2Np1E7Qf9rU+
yxgmVVyk0H5YFZyeCOkeFOU4ntr7iOKzh4QtZR8QwH2e/dkpWl4R4vjURQG22hiJ
awnXK3Hn5i6OWwb+bHpNAhphP5h6I7nra+xg6qM0FmMLHFcr81+qyaU55alCFbU3
+wpPqJV3iSF5kj7SzzhSV54+r4EbqMYUg3GzLMdF1hAzZeuA8bLO6b6MYwZ+rvkr
kcl2AgG5DahQ05vd8OPZm8OORU52hCyAbhcia6Qd9ELQ+1c2qTkfVA2bpwGRpIrb
2CokncxQKoFD1H31OU1Sfv27FCS/NLWfhWiG21beutoTuFC7NII=
=T+Kh
-----END PGP SIGNATURE-----




More information about the Users mailing list