[OpenAFS] Openafs vs Red Hat's Netkey

Steve Gaarder gaarder1@math.cornell.edu
Wed, 11 Dec 2013 15:50:20 -0500 (EST)

I fired up Wireshark and took a look.  I set up IPSEC to use 
authentication only, so I can still see inside the packets.  What I see, 
on both server and client, is this:

When performance is poor, I see two fetch-data-64 packets from the server 
followed by an ACK packet from the client.  There is about a 4 ms delay 
between the two fetch-data-64 packets.  The sequence numbers are 
consecutive and I see no sign of any retransmissions.

When performance is good, I see 8 or more fetch-data-64 packets in a row 
followed by a bunch of ACK packets in return.  The time between 
fetch-data-64 packets is on the order of microseconds.

The 4 ms delay seems responsible, but I haven't figured out what might be 
causing that.

Andrew pointed me to a link about IPSEC problems under RHEL 6.  I do not 
see the high ksoftirqd usage that the article mentions.  I tried changing 
/proc/sys/net/ipv4/xfrm4_gc_thresh, as they suggest, and got occasional 
speedups but nothing repeatable.


Steve Gaarder
System Administrator, Dept of Mathematics
Cornell University, Ithaca, NY, USA