Re: connection hangs with IPsec

To: Hubert Feyrer <hubert%feyrer.de@localhost>
Subject: Re: connection hangs with IPsec
From: Quentin Garnier <cube%cubidou.net@localhost>
Date: Mon, 19 Jan 2009 18:03:37 +0100

On Mon, Jan 19, 2009 at 05:39:37PM +0100, Hubert Feyrer wrote:
>
> Subject: connection hangs with IPsec
>
> I'm currently struggling with IPsec, and would like to ask if anyone has  
> seen a similar behavior, or can give some debugging hints.
>
> Effect that I see is that connections "hang", often after multiples of  
> 32768 or 65535kB:
>
>       # ftp -o /tmp/x 
> http://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/4.0/All/openoffice2-2.4.2.tgz
>       Trying 2001:4f8:4:7:230:48ff:fe31:43f2...
>       ftp: Connect to address `2001:4f8:4:7:230:48ff:fe31:43f2': No route to 
> host
>       Trying 204.152.190.13...
>       Requesting 
> http://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/4.0/All/openoffice2-2.4.2.tgz
>         0% |                                     | 65536       1.64 KB/s  - 
> stalled -^C
>
> The setup here:
>
>  LAN1 - Router1 -----------<Internet>---------- Router2 ------ LAN2 
> ----<Upstream>
>                \                               /
>                 gre0-------GRE-Tunnel------gre0
>
> The connection between Router1 and Router2 is encrypted with IPsec  
> (transport mode), the problem happens both with manually configured keys  
> as well as when using Racoon. Both Routers run NetBSD 4.0, Router1 is  
> performing NAT with PF.
>
> Connecting from LAN1 to the outside world ("Upstream") works fine via the 
> GRE-Tunnel. When enabling IPsec between the two routers, connections to  
> the outside hang, both via HTTP and FTP. Pings work fine.
>
> Looking with tcpdump and wireshark, it seems that Router2 is not catching 
> up with ACKs to the (outside) servers, and after some time  
> (1+2+4+8+16+32+64 seconds, about 2 minutes) the server re-transmits the  
> missing packets, at which time the download continues - for another 64KB, 
> at which time the delays starts again.
>
> Has anyone seen something similar? Do you have any ideas what to look 

Yes,

> for? The chunksize in which the transfers work make me suspicious (32KB 
> for FTP, 64KB for HTTP).

I'm pretty sure the fix went into -4.

http://archive.netbsd.se/?ml=netbsd-tech-net&a=2008-02&m=6468415

-- 
Quentin Garnier - cube%cubidou.net@localhost - cube%NetBSD.org@localhost
"See the look on my face from staying too long in one place
[...] every time the morning breaks I know I'm closer to falling"
KT Tunstall, Saving My Face, Drastic Fantastic, 2007.

Attachment: pgpDcbE5d8tI9.pgp
Description: PGP signature

Follow-Ups:
- Re: connection hangs with IPsec
  - From: Hubert Feyrer

References:
- connection hangs with IPsec
  - From: Hubert Feyrer

Prev by Date: connection hangs with IPsec
Next by Date: Re: connection hangs with IPsec
Previous by Thread: connection hangs with IPsec
Next by Thread: Re: connection hangs with IPsec
Indexes:

Home | Main Index | Thread Index | Old Index