Wednesday, December 13, 2017

ISRG2 overloaded crypto engine - Does this look right?

I've got an un-flow controlled application that bursts small UDP packets with about 30usec gap between. Yes, it's crap. Working on that...

It's traversing a GRE in IPSec tunnel.

The application sees occasional large gaps in the stream. 50-ish consecutive packets go missing. Looks like tail drop to me.

The sites with problem have the old-style 881 routers. I think I've found the problem, wonder if this makes sense?

The show crypto engine accelerator statistic command includes packets in and packets decrypted counters.

I assume that these values should be moving together under normal circumstances?

These numbers are diverging at a rate of about 100pps.

I've confirmed that the following are working correctly:

  • All application packets are getting encrypted and leaving the source site.
  • All ESP packets are getting delivered to the destination site.

But the decrypted application stream is lossy.

So, what say you? Am I overrunning the crypto engine's input queue?

Is there some other value I should be looking at?



No comments:

Post a Comment