Great ipsec speed reduce on 4.60 fw

alexey
alexey Posts: 188  Master Member
First Anniversary 10 Comments Friend Collector
edited April 2021 in Security
4 days ago i update 2 usg1100 to 4.60 p1 from 4.38(AAPK.3)ITS-r94450-2020-06-19-200400764D
Other settings don't change.
After that our night backup do in 2 times more, or don't finish at all.
We have 2 vti in trunk in WRR beetween 2 sites.
I compared config on 4.38 and 4.60 and find diffs

<  lan-provision model wax650s lan1 activate pvid 1 <  lan-provision model wax650s vlan0 activate vid 1 join lan1 untag <  lan-provision model wax610d lan1 activate pvid 1 <  lan-provision model wax610d vlan0 activate vid 1 join lan1 untag

2609,2626c2603,2611

<  load-balancing slot1 mode station

<  load-balancing slot2 mode station

<  load-balancing slot1 max sta 10

<  load-balancing slot2 max sta 10

<  load-balancing slot1 traffic level high <  load-balancing slot2 traffic level high <  load-balancing slot1 alpha 5 <  load-balancing slot2 alpha 5 <  load-balancing slot1 beta 10 <  load-balancing slot2 beta 10 <  load-balancing slot1 sigma 60 <  load-balancing slot2 sigma 60 <  load-balancing slot1 timeout 20 <  load-balancing slot2 timeout 20 <  load-balancing slot1 liInterval 10 <  load-balancing slot2 liInterval 10 <  load-balancing slot1 kickInterval 20 <  load-balancing slot2 kickInterval 20

---

>  load-balancing mode station

>  load-balancing max sta 10

>  load-balancing traffic level high

>  load-balancing alpha 5

>  load-balancing beta 10

>  load-balancing sigma 60

>  load-balancing timeout 20

>  load-balancing liInterval 10

>  load-balancing kickInterval 20

2655,2676c2640,2648

<  lan-provision model wax650s lan1 activate pvid 1 <  lan-provision model wax650s vlan0 activate vid 1 join lan1 untag <  lan-provision model wax610d lan1 activate pvid 1 <  lan-provision model wax610d vlan0 activate vid 1 join lan1 untag <  load-balancing slot1 mode station <  load-balancing slot2 mode station <  load-balancing slot1 max sta 10 <  load-balancing slot2 max sta 10 <  load-balancing slot1 traffic level high <  load-balancing slot2 traffic level high <  load-balancing slot1 alpha 5 <  load-balancing slot2 alpha 5 <  load-balancing slot1 beta 10 <  load-balancing slot2 beta 10 <  load-balancing slot1 sigma 60 <  load-balancing slot2 sigma 60 <  load-balancing slot1 timeout 20 <  load-balancing slot2 timeout 20 <  load-balancing slot1 liInterval 10 <  load-balancing slot2 liInterval 10 <  load-balancing slot1 kickInterval 20 <  load-balancing slot2 kickInterval 20

---

>  load-balancing mode station

>  load-balancing max sta 10

>  load-balancing traffic level high

>  load-balancing alpha 5

>  load-balancing beta 10

>  load-balancing sigma 60

>  load-balancing timeout 20

>  load-balancing liInterval 10

>  load-balancing kickInterval 20

We have bwm rules for night backup per-source at 204800 kbps at both sides.

I dont see great cpu used after update.

How i can try increase speed?

All Replies

  • alexey
    alexey Posts: 188  Master Member
    First Anniversary 10 Comments Friend Collector
    Duration in seconds
    MSSQL daily full backs by windows smb. Size change for hundreds mb every day.
    18.12 - 13127
    19.12 - 12675
    22.12 - 14517
    23.12 - 13488
    24.12 - 13578
    25.12 - 14377
    26.12 (after update) - 20433
    27-28 - don't finish.
    29.12 - 20303.
    Oracle daily full backs by ftp.
    22.12 - 1h 27m with average speed 6 mb/s
    23.12 - 1h 20m with average speed 6 mb/s
    24.12 - 1h 27m with average speed 6 mb/s
    25.12 - 1h 22m with average speed 6 mb/s
    26.12 (after upgrade) - 2h 1m average speed  3,5 mb/s
    27.12 - 3h 22m and 1,5 mb/s
    28.12 - 3h 32m and 1,5 mb/s
    Other oracle backup work around 4,5h on old fw don't finish on new fw.
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @alexey  

    You post configuration is belonging to WiFi configuration.

    Does your servers are backup database by wireless connection?


    I have also tested it by default VPN algorism(AES128/SHA1).

    UTM service is disabled and tested by single HTTP session, the performance is around 50 Mbps.

    If in multi-sessions, the total throughput should get higher than it.


    You may make sure traffic statistic function is disabled in your configuration first.

    Since device will collecting session data during it is transaction.

    And also UTM service will check data content, so it will affect throughput too.

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @alexey  

    If your symptom still exist after disabled traffic statistic function.

    You may send your configuration for further check. :)

Security Highlight