[strongSwan] Packet loss in ipsec tunnel
wax g.
waxitau at gmail.com
Mon Oct 12 18:50:29 CEST 2020
Thanks for replying, Tobias, the suggestion is very helpful.
The replay window size is the default value (32 packets) which effectively
is quite low - will increase it and see how it goes.
Regards,
On Mon, Oct 12, 2020 at 4:44 PM Tobias Brunner <tobias at strongswan.org>
wrote:
> Hi,
>
> > * When is replay-window stats increased ?
>
> Whenever a packet arrives with a sequence number that's lower than the
> lower end of the replay window (i.e. with seq < highest_received_seq -
> window). Could be an actually delayed packet but might also be because
> the window is simply too small for your line speed and traffic pattern,
> e.g. because packets arrive so fast and in quick succession that the
> window is moved constantly and too quickly so slightly delayed (or
> perhaps larger) packets have to be dropped.
>
> > * I've noticed that on devices not experiencing packet losses over the
> > ipsec tunnel all the stats = 0 (replay-window, replay & fail).
>
> Yes, those stats indicate errors, so it's good if everything is 0 there.
>
> > * I'm suspecting a replay window issue for received ipsec packets that
> > are dropped..
>
> Did you configure a replay window size
> (connections.<conn>.children.<child>.replay_window in swanctl.conf)?
> The default is 32, which is pretty low.
>
> Regards,
> Tobias
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201012/a9dd9a3a/attachment.html>
More information about the Users
mailing list