tunnel upstream is unusably slow
David Woodhouse
dwmw2 at infradead.org
Wed Apr 2 10:41:24 EDT 2014
On Wed, 2014-04-02 at 15:46 +0200, Ortwin Glück wrote:
> $ strace -ttfp 29785
After manually editing that to undo the word-wrapping and make it
readable again, it looks like the two large delays you see in select()
are when it's waiting for data from the tunnel. I'm not sure it can make
that happen faster. The problem here isn't the way the event loop works,
AFAICT.
> Question remains: why does openconnect's select block for so long? A lot
> of data should be already available in the socket buffer.
It's not the socket buffer we care about, from the openconnect point of
view. It's packets being "sent" on the tunnel interface. And openconnect
is sending those as soon as they get here...
> Here you go. I have replaced the actual IPs with names for convenience
> and privacy. Timestamps are seconds since previous packet. Note the
> 0.214s delays before local starts sending again after last ACK.
Hm, I was hoping for timestamps which would correlate with the ones in
the strace run, but I can cope with this...
> No. Time Source Destination Protocol Length Info
> 1100 0.214 tun-local tun-remote SSHv2 1280 Encrypted request packet len=1228
> 1101 0.000 SSL-local SSL-remote TLSv1 1126 Application Data
> 1102 0.000 SSL-local SSL-remote TLSv1 328 Application Data
A packet is 'sent' over the tun interface. OpenConnect immediately sends
it. It takes *two* packets to send it, since your MTU inside the tunnel
is larger than your MTU outside the tunnel. That's probably not going to
help your performance. And neither is the fact that you appear not to be
using DTLS. Nobody who cares about performance should be using
TCP-over-TCP. Why aren't you using DTLS?
> 1103 0.007 SSL-remote SSL-local TCP 60 443 > 54547 [ACK] Seq=19758 Ack=204341 Win=32768 Len=0
Fairly quickly, an ACK comes back from the VPN server for that data.
> 1104 0.001 SSL-remote SSL-local TLSv1 147 Application Data
> 1105 0.000 SSL-local SSL-remote TCP 54 54547 > 443 [ACK] Seq=204615 Ack=19851 Win=65535 Len=0
1ms later, a data packet comes back over the SSL connection, and an ACK
is sent for it.
> 1106 0.000 tun-remote tun-local TCP 52 22 > 37376 [ACK] Seq=6189 Ack=184836 Win=64128 Len=0
We feed the data packet (which is itself an ACK for the SSH connection)
to the tun device with no noticeable delay.
> 1107 0.214 tun-local tun-remote SSHv2 1280 Encrypted request packet len=1228
There is a 214ms delay before the next packet is sent by SSH (or more to
the point the TCP stack). The sequence repeats...
> 1108 0.000 SSL-local SSL-remote TLSv1 1126 Application Data
> 1109 0.000 SSL-local SSL-remote TLSv1 328 Application Data
> 1110 0.007 SSL-remote SSL-local TCP 60 443 > 54547 [ACK] Seq=19851 Ack=205687 Win=32768 Len=0
> 1111 0.001 SSL-remote SSL-local TLSv1 147 Application Data
> 1112 0.000 SSL-local SSL-remote TCP 54 54547 > 443 [ACK] Seq=205961 Ack=19944 Win=65535 Len=0
> 1113 0.000 tun-remote tun-local TCP 52 22 > 37376 [ACK] Seq=6189 Ack=186064 Win=64128 Len=0
> 1114 0.214 tun-local tun-remote SSHv2 1280 Encrypted request packet len=1228
Why is it taking 7ms for a pair of TCP packets to reach your VPN server
and then for an ACK to come back for them?
I can't see the sequence numbers for your outgoing packets but I have
strong suspicion that there's a fair amount of data in-flight at any
given time. So it's not that the SSH connection sends a data packet,
gets an ACK within 7ms and then gratuitously waits around for almost
quarter of a second before sending any more data. I suspect it's got
packets outstanding and the TCP stack has determined that this is the
maximum rate it can send at.
What's the TCP sendq on the offending SSH socket (and the SSL socket for
that matter, but I suspect that'll be low) when this happens?
(netstat -tn)
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20140402/4b0fbe87/attachment.bin>
More information about the openconnect-devel
mailing list