<div dir="ltr"><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div>The server has a 1G symmetrical fibre line. It has been speedtested to various local servers to be close to 800-900M. When there is only a single client, there isn't much problem and as soon as the connection is made, the ping time through to tunnel is a respectable 30ms. As soon as a few more clients are connected, ping time degrades to hundreds and sometimes seconds and with dropped packets. Dataflow would appear stopped and the tinc log on the server would literally filled with hundreds of flush....would block messages. All hosts are running latest tinc-1.0 stable.<br><br></div>The server is configured as a bridge and is relaying multicasts continuously. Below is the server configuration.<br><br>Name = tserver<br>AddressFamily = ipv4<br>BindToAddress = 192.168.21.254 30000<br>KeyExpire = 28800<br>ReplayWindow = 0<br>DeviceStandby = no<br>DeviceType = tap<br>DirectOnly = yes<br>Mode = hub<br>ProcessPriority = high<br>ClampMSS = yes<br>Cipher = none<br>Digest = none<br>MACLength = 0<br>PMTUDiscovery = yes<br><br></div>I have taken out what I believe is performance sapping options in an effort to boost performance.<br></div><br></div>All clients (Windows 7) configuration is identical save its own name.<br><br></div>Name = <client name><br></div>ConnectTo = tserver<br></div>AddressFamily = ipv4<br></div>KeyExpire = 28800<br></div>ReplayWindow = 0<br></div>Broadcast = direct<br></div>DirectOnly = yes<br></div>Mode = hub<br></div>ClampMSS = yes<br></div>Cipher = none<br></div>Digest = none<br></div>MACLength = 0<br></div>PMTUDiscovery = yes<br></div>Interface = win-Tap<br><br></div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, May 6, 2016 at 3:25 PM, Guus Sliepen <span dir="ltr"><<a href="mailto:guus@tinc-vpn.org" target="_blank">guus@tinc-vpn.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Wed, May 04, 2016 at 07:10:47AM +0800, Terry T wrote:<br>
<br>
> We run tinc in a linux environment in which it sits there waiting for<br>
> connections from the clients. All clients are configured to only have one<br>
> ConnectTo which points to this server.<br>
><br>
> We're seeing in the server log that as soon as a client's connection is<br>
> activated, a whole bunch of "Flushing x bytes to that host would block" is<br>
> logged and the whole vpn is bogged down and has become non-responsive.<br>
<br>
</span>This means that the bandwidth to that client is so low that the TCP<br>
buffer on the server is full. It should not cause communication between<br>
the other clients to slow down though...<br>
<span class=""><br>
> From a Jun 27, 2013 "Metadata socket read error" thread, Gus suggested that<br>
> it may be caused by the router in front of the server that ran out of<br>
> memory keeping track of the outgoing connections. The server is indeed<br>
> behind a NAT router. It's a reasonably (ASUS) high end consumer grade<br>
> router.<br>
<br>
</span>This is not the same problem.<br>
<span class=""><br>
> We have tried adding PingInterval in the host configuration file, but it<br>
> doesn't seem to resolve the problem. Is there anything else that we can do<br>
> to stop the vpn from crashing. As it is, when any one of the client is<br>
> logged to be flushing, the whole vpn becomes unusable.<br>
<br>
</span>Hm, does non-VPN traffic to/from the server also get slow when this<br>
happens?<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Met vriendelijke groet / with kind regards,<br>
Guus Sliepen <<a href="mailto:guus@tinc-vpn.org">guus@tinc-vpn.org</a>><br>
_______________________________________________<br>
tinc mailing list<br>
<a href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a><br>
<a href="https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" rel="noreferrer" target="_blank">https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br>
</font></span></blockquote></div><br></div>