# Xen Networking / IPSec Performance



## sydney6 (Jun 4, 2015)

Hello everybody,

When using an IPSEC-enabled Kernel on a 10.1 RELEASE Xen DomU, the performance drops from ~10 Gb/s to ~200 Mb/s, whether actually using IPSEC or not.

Andrey Elsukov has explained the (potential) issue here: https://lists.freebsd.org/pipermail/freebsd-net/2015-April/042123.html

When disabling TCP segmentation offload (`ifconfig xn0 -tso`) the performance picks up again up to ~3 Gb/s non-IPSec-Traffic.

I noticed this, because on another (also Xen VM) machine running Tomcat, the connections became extremely slow when enabling PF and picked up speed again, as soon as I disabled PF, or disabled TSO on the interface. This machine was using a GENERIC Kernel.

Is this normal, known behaviour, i.e. or I have missed something?


----------



## SirDice (Jun 5, 2015)

I'd say this is known behavior.  I have the same issue on my VPS. As soon as I enable PF network performance drops significantly. Until I disable TCP segment offload. So I just keep that off.


----------



## sydney6 (Jun 5, 2015)

I have also read about TSO Problems with the em(4) driver since 10.1 and the IPSEC problem is also not new (and the dev's seem sick about being asked: when will IPSEC be in GENERIC) and being worked on...

Since iI do not seem to have any "bad" packets according to netstat, etc., iI think let things as they are and keep an eye on it...

Either way, thanks for the confirmation, SirDice.


----------

