On 7/4/10 5:11 PM, John McMonagle wrote: > I'm using shorewall with openvpn and traffic shaping at all of our offices. > I have noticed for a while that occasionally ping times are excessive. > Usually > this is during overnight off site backups but some times during the day. > I have assumed the is was an ISP issue but now I'm suspecting it's problem > with openvpn and traffic shaping. > > In the test case have 2 sites with t1s. I'm setting speed much lower to allow > for some phone traffic that comes off before I get it. > During the tests there is no phone use. > > I set to do iperf between sites between sites both direct and therough the > vpn. > > With no traffic ping time direct is about 8ms and 10ms via vpn. > With saturating direct traffic . > Direct ping is about 40-50 ms > vpn ping is about 50ms > > With saturating vpn traffic > Direct ping is about 15-30ms > vpn ping is about 18-250ms > > Ping times are very erratic particular in the one bad case. Some times pings > via vpn are over a second. > The consistant thing is with saturating traffic via vpn the vpn ping times > are > bad. > Other cases are OK. > > My wild guess is that openvpn does not like its packets being delayed. > Attached is shorewall dump. > In case it looks odd the openvpn links are point to point and routing is done > via ospf. > > Any Ideas?
A shorewall dump taken when there is little or no traffic flowing is not particularly useful for analyzing TC problems but it looks to me as if you have entries in /etc/shorewall/tcfilters with 0.0.0.0 in the SOURCE and DEST columns where you really want 0.0.0.0/0. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
