Howdy:
We've been dropping UDP packets on a busy UDP OpenVPN. We are running
on OpenBSD 5.5 release with very little tuning. It's brand new HW with
AESNI capable processors, 4 core, and 32GB RAM. We have a 100Mbit/s
symmetric pipe on our circuit. We have tested network cables. We have
about 80 users.
We see the UDP 'dropped due to full socket buffers' counter increase
and we hear the VOIP packet loss.
> while true ; do netstat -s -p udp |grep "dropped due to full socket"
; date; sleep 2 ; done
Thu Jul 24 12:11:26 EDT 2014
888340 dropped due to full socket buffers
Thu Jul 24 12:11:28 EDT 2014
888340 dropped due to full socket buffers
Thu Jul 24 12:11:30 EDT 2014
888340 dropped due to full socket buffers
Thu Jul 24 12:11:33 EDT 2014
888355 dropped due to full socket buffers
Thu Jul 24 12:11:35 EDT 2014
888360 dropped due to full socket buffers
Thu Jul 24 12:11:37 EDT 2014
888360 dropped due to full socket buffers
Here we see the socket queues; I can at will make the recv-q build a
queue if I run an iperf of the given tunnel. The recv-Q will at times
be non-zero, and we don't drop UDP packets. Always when packets drop,
Recv-Q is not zero.
netstat -an |head [snip] Active Internet connections (including
servers) Proto Recv-Q Send-Q Local Address Foreign Address
(state)
> while true ; do netstat -an | grep -v ' 0 0' |egrep -i 'UDP' ;
date; sleep 2 ; done
Thu Jul 24 12:11:30 EDT 2014
udp 900 0 xx.xx.173.xx.443 *.*
Thu Jul 24 12:11:33 EDT 2014
udp 6387 0 xx.xx.173.xx.443 *.*
Thu Jul 24 12:11:35 EDT 2014
udp 354 0 xx.xx.173.xx.443 *.*
This is set on pf.conf:
match in all scrub (no-df max-mss 1400)
We have dropped packets with queueing turned off.
Operating system: OpenBSD 5.5
OpenVPN installed from pkg
> pkg_info |grep openv
openvpn-2.3.2 easy-to-use, robust, and highly configurable VPN
> openvpn --version
OpenVPN 2.3.2 x86_64-unknown-openbsd5.5 [SSL (OpenSSL)] [LZO] [eurephia] [MH]
[IPv6] built on Mar 5 2014
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sa...@openvpn.net>
Compile time defines: enable_crypto=yes enable_debug=yes enable_def_auth=yes
enable_dlopen=unknown enable_dlopen_self=unknown
enable_dlopen_self_static=unknown enable_eurephia=yes
enable_fast_install=needless enable_fragment=yes enable_http_proxy=yes
enable_iproute2=no enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no
enable_management=yes enable_multi=yes enable_multihome=yes
enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes
enable_pkcs11=no enable_plugin_auth_pam=no enable_plugin_down_root=yes
enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes
enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no
enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes
enable_strict=no enable_strict_options=no enable_systemd=no
enable_win32_dll=yes enable_x509_alt_username=no with_crypto_library=openssl
with_gnu_ld=no with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins'
with_sysroot=no
server configuration:
dev tun0
proto udp
port 1195
local xx.xx.173.xx
server 10.0.4.0 255.255.255.0
ca /usr/local/etc/openvpn/ca.crt
cert /usr/local/etc/openvpn/int.crt
key /usr/local/etc/openvpn/int.key
dh /usr/local/etc/openvpn/dh4096.pem
push "route xx.xx.173.xx 255.255.255.240"
topology subnet
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
group nobody
daemon
crl-verify /usr/local/etc/openvpn/crl.pem
script-security 3
cipher AES-256-CBC
auth sha256
tls-server
client-config-dir /usr/local/etc/openvpn/ccd
mssfix 1300
status /usr/local/etc/openvpn/status.log
duplicate-cn
log-append /usr/local/etc/openvpn/openvpn.log
verb 4
tls-auth ta.key 0
auth-user-pass-verify /usr/local/etc/openvpn/ldap_bind.py via-env
client-connect /usr/local/etc/openvpn/connect.sh
client-disconnect /usr/local/etc/openvpn/disconnect.sh
sndbuf 32000000
rcvbuf 32000000
nice -6
client configuration:
client
dev tun
proto udp
remote xx.xx.173.xx 1195
nobind
persist-key
persist-tun
ca ca.crt
cert user.crt
key user.key
comp-lzo
verb 3
mssfix
cipher AES-256-CBC
replay-window 1024 60
log file: it's huge at verb 10 for 10 seconds with one user, > 2mb gzipped.
http://d.tweal.org/openvpn.log.gz
Thanks,
-dkw
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
