Limited throughput with QoS rules on VTI interface


Hi, I have very little experience of QoS rules so I’m hoping somebody here can help.

I have a VyOS router where the outgoing traffic on an IPSec VTI connection is almost saturating my internet link, so I thought I’d apply a rate-control traffic-policy in the outgoing direction on the VTI interface. The trouble is, as soon as I apply the traffic-policy the throughput on the VTI goes down to 300mbit/s no matter what the actual limit is in the traffic-policy. When the policy isn’t applied the VTI is usually pushing through something like 700mbit/s.

I also applied an ingoing limiter policy for a few different services on the inbound direction on the internet connection and that policy doesn’t seem to limit throughput in the same way.

The rate-control policy for the VTI interface is as follows:

edit traffic-policy rate-control qos-Verne-out
    set description "Limit traffic to Verne DC to 600mbit/s"
    set bandwidth 600mbit
    set burst 800mbit
set interfaces vti vti0 traffic-policy out qos-Verne-out

The OS version on the VyOS box is:

Version:          VyOS 1.2.0-rolling+201902251818

Are there any performance pitfalls for QoS rules on VTI interfaces that I’m falling into? Is there some intrinsic limit on the throughput of traffic-policy on VTI interfaces? Am I simply being stupid and my config is all wrong?

The configuration for the VTI tunnel is this (edited slightly for anonymity):

edit vpn ipsec esp-group esp-default-outcompany
    set compression 'disable'
    set lifetime '3600'
    set mode 'tunnel'
    set pfs 'enable'
    set proposal 1 encryption 'aes256'
    set proposal 1 hash 'sha256'

edit vpn ipsec ike-group ike-default-ourcompany
    set dead-peer-detection action 'restart'
    set dead-peer-detection interval '30'
    set dead-peer-detection timeout '30'
    set ikev2-reauth 'no'
    set key-exchange 'ikev2'
    set lifetime '28800'
    set proposal 1 dh-group '14'
    set proposal 1 encryption 'aes256'
    set proposal 1 hash 'sha256'

edit vpn ipsec site-to-site peer
    set authentication mode 'pre-shared-secret'
    set authentication pre-shared-secret 'xxxx'
    set connection-type 'initiate'
    set description 'Tunnel to fw-verne'
    set ike-group 'ike-default-ourcompany'
    set ikev2-reauth 'inherit'
    set local-address ''
    set vti bind 'vti0'
    set vti esp-group 'esp-default-ourcompany'

edit interfaces vti vti0
    set address ''
    set description 'VPN-tunnel-Verne'
    [...omitting some ospf stuff here...]
    set mtu '1436'
    set traffic-policy out qos-Verne-out

Edit: added version info

I haven’t done any rate limiting on VTI interfaces - so I can’t help you, but to be clear for those people who are much smarter than I, what version of Vyos are you using?

Edit: Also, reading this seems to imply your burst should be “size of the bucket in bytes which will be available for burst”

I would try much, much smaller values for burst and work up, see if that helps.

Finally: Welcome to the Vyos forums :slight_smile:

Thanks for the response tjh!

The version is:

Version:          VyOS 1.2.0-rolling+201902251818

Hmmm… I’m not sure that I understand how to use burst given that description. Should I just try leaving it out of the config?

Update: tried removing the burst setting, didn’t change anything. Still limited to 300mbit/s.

Hey there, no immediate help to your issue but you are running a super old rolling version. I would start by upgrading (if possible) to the latest rolling version and starting your diagnosis from there.

Ah, you’re right that the version is kind of old philipmcmahon. We’ve had trouble scheduling downtime for upgrades there. I’ll try to get downtime for upgrades approved as soon as possible.