Huge packet loss [>80%] pinging server #1643
Comments
|
A few minutes later, I repeated the experiment and got this as a result: I would really appreciate if someone with more networking/VPN troubleshooting skills could point me in the right direction. |
|
So my first question, given recent reports of Wireguard problems with macOS 10.15, is what version of macOS you're running, and what version of Wireguard client you're running. |
|
@TC1977 Hey so here's the versions, but I'm not sure if that's the issue as at the same time I was having packet loss on my laptop, I experienced a complete slowdown on my phone as well. |
|
Here's what I received running Not sure of the significance really, but does that 'dropped by kernel' seem alright? |
|
Try to mtr/traceroute/ping to the server‘s public ip, not to the local one, to find out where the problem is |
|
I believe Algo configures the EC2 firewall to block ICMP, so you'll need to change that before you can testing pinging the public IP address outside of the VPN tunnel. |
|
No issues as of now. I thought at first that the issue was more noticeable when switching wireguard profiles/right after handshakes but it seems like that's not reproducing it right now making diagnostics really difficult. |
|
@jackivanov Here's the mtr output during a period when I was having connection issues: and for reddit: Towards the end of me writing this, it got a lot better and so the % dropped in the reddit mtr went down a lot. @davidemyers Yes, looks like ICMP inbound is blocked, but I was still able to traceroute and mtr, just not a direct ping to the EC2 ip. |
|
Doesn't seem to be a MacOS specific issue. I'm 90% confident that I was experiencing the same issue on my phone while my mac was having network issues. |
|
Make sure you're not using the same WireGuard config file on both devices. Also, those traces look like the WireGuard tunnel was up. You should test the connection between your clients and the EC2 instance outside of WireGuard to see if there's a network issue unrelated to Algo. |
I'm not. I'm using different profiles generated by Algo for different devices.
I thought the same, so what I did was deploy Algo to various AWS regions, and test. But they would all have the same issue intermittently. When it doesn't work on my laptop, it doesn't work on the phone either. So we can rule out the issue being macos/config related. Any suggestions on what I should log or how I can troubleshoot when I experience the network issue? running mtr shows a huge packet loss, and pinging the wg ip (10.19.49.1) also results in a lot of timeouts. But I do get few replies in between. This is all until it suddenly starts working fine. Maybe it's just advanced DPI and there's nothing I can do about it :( |
|
Would it be helpful for diagnostics that when I do experience the issue, I ssh into the EC2 instance from another machine and collect the |
|
@ShantanuNair You could try checking the WireGuard client logs. On your Mac, open the WireGuard app, and at the bottom of the windowpane with your listed connections the little gear icon gives you the option to "View Log". You probably already did this, but I didn't see explicit mention: also make sure this is occurring on all networks, not just your LAN. Try your iPhone on LTE, and also try taking your Mac to a different network (Starbucks, or Wi-Fi hotspot from your phone) and see if the problem occurs there. The other thing you could do is to troubleshoot if it's actually Wireguard as opposed to some other issue. You could install the IKEv2 mobileconfig on your Mac and see if that works without problems. And if you do get problems, strongSwan at least gives you useful debug messages on the server with |
|
Hey all - I think you have the wrong Dave Myers.
…On Sun, Nov 24, 2019 at 9:02 AM Shantanu Nair ***@***.***> wrote:
Doesn't seem to be a MacOS specific issue. I'm 90% confident that I was
experiencing the same issue on my phone while my mac was having network
issues.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1643?email_source=notifications&email_token=AAG4PSRUWUPSIJVGPEGSY6DQVKJQ3A5CNFSM4JQ4YC7KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEFANJZY#issuecomment-557896935>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAG4PSX6WS44U2QN6FOZNWTQVKJQ3ANCNFSM4JQ4YC7A>
.
|
|
@DavidMyers Hey Dave, it's Dave. 😃 Yes, it looks like the "e" was left out of a mention above. |
|
My bad for the wrong user mention. Anyway, I tried to record the logs when the issue happens (I feel it's more likely to happen on new connections—say when I deactivate and then reactive a tunnel. It would be really slow to pull up a site, and mtrs would have huge packet loss even after the quick handshake, but once it gets connected I get decent throughput upto ~140-150mbps). I also notice that cryptostorm's (commercial VPN with supports wireguard) free wireguard service connects fine. Here is the log: |
|
So what jumps out at me is about 13 seconds of repeated And then you were pretty error-free after that. Wonder if you can check your EC2 console logs in Cloudwatch for rejected packets during that time? Also, these were the same errors reported in #1629, which according to most recent update by @Ezzahhh may not be a pure macOS 10.15 problem after all. |
|
@TC1977 Thank you so much for helping me with this! I did not see those 'Failed to send data packet' messages inside the wireguard log window, only in the saved log-file. However, I just gave the IPSEC profiles a shot and it seems to be perfectly stable. Only thing is the speeds are absolutely trash (<400kbps). Not sure if that's expected behavior. What this leads me to believe is that this is not an issue with the connection to the EC2 server, but instead seems like it's a wireguard only isolated issue, and that it could have something to do with wireguard's routing. Using IPSEC I'm able to reach and maintain a connection with my EC2 just fine. It's only wireguard that seems to be the issue. Regarding #1629 it seems like his connection was working fine on his phone but not on his mac. But for me when wg is unstable on my macbook, it is also problematic on my phone. |
|
IPsec is said to be slower than WireGuard, but shouldn't be that much slower. I wouldn't be surprised at all if your IPsec connection is also screwed up. It might be worth checking out the strongSwan logs by leaving a window open with Do you get these issues if you install onto a |
|
There is advanced DPI being employed against Algo in the Middle East. I had raised this as an issue/notification earlier. I've tried Algo (same profiles, same servers, just different ISPs in other countries) and always noticed this issue only in the Middle East. #1588 |
|
@shadowsaw This seems to be the case. Have you found anything that works well in that environment. Even ShadowSocks doesn't work. |
My setup:
Server is running on EC2 t3.micro instance in the Bahrain AWS region.
Client is MacOS running wireguard official gui.
Issue:
While digging deeper, I noticed that when pinging 10.19.49.1 from the wg client, I get huge packet loss. This may be the weak link where I'm losing packets. My internet connection is definitely not the issue. Why would I be having packet loss when pinging 10.19.49.1? Is it an issue with my EC2 networking? It surely can't be my wireguard client as then it wouldn't work with the commercial wg VPN provider.
Here is the ping results:
The text was updated successfully, but these errors were encountered: