Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp574768imm;
        Thu, 13 Sep 2018 04:37:18 -0700 (PDT)
X-Google-Smtp-Source: ANB0Vda/XuQoXuQfVkrXnJz7nOB/I8NGVh4WuiaYZkbAquzxRyjs/ryVLlOrCkiBLPcZZe03x7k+
X-Received: by 2002:a62:174a:: with SMTP id 71-v6mr7141963pfx.217.1536838636094;
        Thu, 13 Sep 2018 04:37:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1536838636; cv=none;
        d=google.com; s=arc-20160816;
        b=ltRLuTvXF23MprOkqeKs/jMxZdyIGhkuo5qV3w6OQQIn8HaRqizMkAH9SLoFVCzHYx
         Esa03YLJVE3vwpeuud1TXRHDl+mQgd1MIAG7+lr5+CUYfx9UVbPEfalwGKfa92PqcNuj
         ljMV44Ya85zMGEBnj1n9Bs8fsFUAlL2nDQs0L2rPsII8Ro6f4acp0iKqscerziPRCFQQ
         FJ1S7fbUNxdPj84M+z5PE/CdzxuQvBSXgHZKA2nvehaqZV5wM26NDk2AdnKaiMGMDgb8
         iuFc8yrI3odtRX8gJtoEUyIJxk0vEJxHrdprNAH2BZj7n2qLq+mf/hSjjMZaw3M8odwc
         kHEQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:message-id:date:subject:cc:to:from;
        bh=kuqSspDnfhCuTjpLVFSj1UotI+gK3bS0bTKhJT1I7qQ=;
        b=AtMByASWkJu9w6iZgA8qZUl0ri0eCPpmRqGTM+3dXkocKpyKgIS2xKLYvi6vcS0TpF
         2F0LwbGQ42Fst0Qnzetbqn+JsEo9ro977JZU9SAeRoZmloffQ1sG2e2smqgLC+gOLQTq
         LWH8EWLOZdIqUNsCSyD7CpDJ8U5TLhqhOT8fTr9ftvSFmNSZf1GJmLy2qg1Jcbr/eIUK
         vavmlZysmwIsXpRs0irmzBlb2T//i6rnPLMCVWKWEoKJgiga+4pc+2blaWkZ+dt/lU3S
         IVn1tMrSob+gcglwh5+y63BqmQrkcpRyo4qXZRDm8squ23LGD8AndlpDrbKGZEtjH2FC
         bMDQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c12-v6si3939606plz.456.2018.09.13.04.37.00;
        Thu, 13 Sep 2018 04:37:16 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727650AbeIMQqA convert rfc822-to-8bit (ORCPT
        <rfc822;fezhang.suse@gmail.com> + 99 others);
        Thu, 13 Sep 2018 12:46:00 -0400
Received: from dresden.studentenwerk.mhn.de ([141.84.225.229]:36116 "EHLO
        email.studentenwerk.mhn.de" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1726879AbeIMQqA (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 13 Sep 2018 12:46:00 -0400
X-Greylist: delayed 403 seconds by postgrey-1.27 at vger.kernel.org; Thu, 13 Sep 2018 12:45:59 EDT
Received: from mailhub.studentenwerk.mhn.de (mailhub.studentenwerk.mhn.de [127.0.0.1])
        by email.studentenwerk.mhn.de (Postfix) with ESMTP id 429xK10gFMzMkw5;
        Thu, 13 Sep 2018 13:30:13 +0200 (CEST)
From:   Wolfgang Walter <linux@stwm.de>
To:     netdev@vger.kernel.org
Cc:     Florian Westphal <fw@strlen.de>,
        Steffen Klassert <steffen.klassert@secunet.com>,
        David Miller <davem@redhat.com>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Linus Torvalds <torvalds@linux-foundation.org>
Subject: Regression: kernel 4.14 an later very slow with many ipsec tunnels
Date:   Thu, 13 Sep 2018 13:30:12 +0200
Message-ID: <5781211.jtEvgqSZyO@stwm.de>
User-Agent: KMail/4.14.3 (Linux/4.14.61-debian64.all+1.1; KDE/4.14.13; x86_64; ; )
MIME-Version: 1.0
Content-Transfer-Encoding: 8BIT
Content-Type: text/plain; charset="iso-8859-1"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hello,

thanks to the fix from Steffen Klassert I could now run 4.14.69 + his patch 
and 4.18.7 + his patch without oopsing immediately.

But I found that those kernels perform very bad. They perform so bad that they 
are unusable for our router with about 3000 ipsec tunnels (tunnel mode network 
<-> network).

With 4.9. (and all other kernels I used in the last 10 years with much less 
potent hardware) I never had an comparable performance issue with networking.

4.18.7 is better then 4.14.69 but still remains unusuable for us.

Even with very little traffic all 8 cores are working 100% in ksoftirqd. As 
soon as there is real traffic network gets rather unusuable.

Latency of packets goes from between 0.1ms to 1ms up to 100ms to 500ms (4.14) 
or between 15ms to 90ms (4.18).

Throughput also suffers a lot.

I have a simple test I run after every upgrade. This test basically copies 
with scp large files to 60 different remote locations (involving ipsec), 
limited to 1GBit/s combined, and in paralled I ping from different networks 
over this router to machines in other networks of this router (no ipsec-
tunnels involved).

With 4.9 and earlier copying needs about 2 minutes and the pings all remain 
under 2ms roundtrip. 

With 4.14 copying these files needs more than one our. The roundtrip time of 
the ping is > 1 second.

With 4.18 this is much better, copying needs around 6 minutes and ping 
roundtrip is between 30ms and 180ms. But even that is much worse then 4.9.

I think this dramatic loss in performance is due to the removal of the flow 
cache. I propose to revert that for 4.14. I also propose to revert it for the 
next longterm kernel if no other solution is found bringing back 4.9 
performance (at least about the same order of magnitude).

Maybe it should generally be reverted until a solution to the problem exists.

Regards,
-- 
Wolfgang Walter
Studentenwerk M?nchen
Anstalt des ?ffentlichen Rechts