DPDK acceleration for ipsec tunnels on virtual fortigates
We have been testing DPDK acceleration for ipsec tunnels on our nutanix hosts.
dpdk-iperf-1 and dpdk-iperf-2 are simple 4-core 8gb RAM ubuntu VMs with minor host tuning (sysctl window sizes etc) for iperf performance testing, and can maintain about 17Gbps using iperf3 when directly connected to one another.
dpdk-test-vm04-1 and dpdk-test-vm04-2 are fortigate VMs on v7.6.2 (2cpu, 16gb ram). When testing iperf performance on a basic ipsec tunnel we saw approximately 1.2Gbps between the ubuntu VMs. After enabling dpdk (see config below) we are only able to increase this performance to 1.5Gbps.
test diagram
I've confirmed that the dpdk engine is correctly picking up this traffic - ipsec_dec_packets and ipsec_enc_packets are incrementing, and the vnp and vnpsp engines all kick into life with `diagnose dpdk performance show` while the test is running.
However we did expect to see a significantly higher performance uplift for ipsec tunnels, is there something we're missing?
Current working DPDK config: dpdk.global status=enable multiqueue=enable sleep-on-idle=enable elasticbuffer=enable per-session-accounting=1 ipsec-offload=1 hugepage-percentage=40 nr_hugepages=3198 mbufpool-percentage=30 session-table-percentage=5 protects= dpdk.cpus en-cpus=(all) 0,1 rx-cpus=(all) 0,1 vnp-cpus=(all) 0,1 vnpsp-cpus=(all) 0,1 ips-cpus=(all) 0,1 tx-cpus=(all) 0,1 isolated-cpus=1 system.interface Interface "port1" dpdk=enable Interface "port2" dpdk=enable Interface "port3" dpdk=enable