Fog_Watch
2013-Aug-10 07:01 UTC
What do I do so that packets are not dropped when ingress traverses IFB0 and a core is fully loaded?
Hello My firewall has 2x4 CPU cores. It is used as a Shorewall firewall and for several Vserver guests. For VOIP purposes would like my ingress to traverse an intermediate functional block. However, when one or more of the cores has a high load, packets over IFB0 get dropped. When I load up four cores with something like: pbzip2 -9 -c test.flac > test2.bz2 and ping through the firewall with something like: ping -i .5 -c 20 <my ISP> I achieve such statistics as: 20 packets transmitted, 15 received, 25% packet loss, time 9548ms rtt min/avg/max/mdev = 18.100/21.600/26.591/2.649 ms For this test netstat says that for IFB0, TX-DRP goes from 135 to 203. shorewall dump (http://bpaste.net/show/121592/). Under the same configuration but without a high CPU load on any core no packets are dropped: 20 packets transmitted, 20 received, 0% packet loss, time 9518ms rtt min/avg/max/mdev = 15.858/21.792/33.518/3.910 ms When traffic control is turned off (http://bpaste.net/show/121593/), or ingress no-longer traverses IFB0, the CPU load can be high for any number of cores and packets are not dropped. What should I do so that when ingress traverses IFB0 and a core is fully loaded packets are not dropped? Regards Fog_Watch. -- "A. Because it breaks the logical order of conversation. Q. Why is top posting bad?" ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It''s a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
Fog_Watch
2013-Aug-14 04:58 UTC
Re: What do I do so that packets are not dropped when ingress traverses IFB0 and a core is fully loaded?[ENDED]
On Sat, 10 Aug 2013 17:01:07 +1000 Fog_Watch <db5@exemail.com.au> wrote:> What should I do so that when ingress traverses IFB0 and a core is > fully loaded packets are not dropped?When vserver host cpu load is high packets are not dropped. When vserver guest cpu load is high packets are dropped. So I can''t see how this relates to Shorewall. Sorry for reducing the signal to noise ratio. Regards Fog_Watch. ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It''s a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk