[OpenAFS] Openafs vs Red Hat's Netkey
Wed, 11 Dec 2013 15:50:20 -0500 (EST)
I fired up Wireshark and took a look. I set up IPSEC to use
authentication only, so I can still see inside the packets. What I see,
on both server and client, is this:
When performance is poor, I see two fetch-data-64 packets from the server
followed by an ACK packet from the client. There is about a 4 ms delay
between the two fetch-data-64 packets. The sequence numbers are
consecutive and I see no sign of any retransmissions.
When performance is good, I see 8 or more fetch-data-64 packets in a row
followed by a bunch of ACK packets in return. The time between
fetch-data-64 packets is on the order of microseconds.
The 4 ms delay seems responsible, but I haven't figured out what might be
Andrew pointed me to a link about IPSEC problems under RHEL 6. I do not
see the high ksoftirqd usage that the article mentions. I tried changing
/proc/sys/net/ipv4/xfrm4_gc_thresh, as they suggest, and got occasional
speedups but nothing repeatable.
System Administrator, Dept of Mathematics
Cornell University, Ithaca, NY, USA