Hi, > Has anyone else seen this problem with the ksoftirq thread reaching 100%? > Is there anything that can be done to alleviate this problem?
The kernel handles ESP data path processing in this thread, and it is by default limited to the single core that processes NIC interrupts. So you basically just hit the encryption rate limit on your kernel. > The box has a gig ethernet card (a Broadcom NetExtreme II), and is > handling maybe around half its capacity. This is actually what you can expect from todays commodity hardware without further tweaks. > I have seen this on boxes with aes-ni enabled and also disabled > The cipher suite chosen is AES-128 AES-NI is quite powerful and should allow you to increase your throughput. However, running AES in GCM mode is preferable, as using a traditional HMAC integrity function could become the bottleneck otherwise. If that doesn't help, you might consider using parallelized ESP processing , allowing you to take advantage of a multi-core system. Regards Martin https://www.strongswan.org/docs/Steffen_Klassert_Parallelizing_IPsec.pdf _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users