Why would my network slow down?


The network at my work has about 40 computers on it and a quite a few printers. When there are a lot of people working the network will be slow.
I can test the ping between my computer and the router and it will keep rising, sometimes to the point that it times out.
The router we are using is running Ubuntu on a atom processor and it has 4gb of ram.

When the network slows the process Ksoftirq will be using most if not all of the processing power. I have found that Ksoftirq is a process that handles irq requests. Also when the network slows down I have captured packets from the router and using tshark and looked at it using wireshark on my laptop. With the capture show a lot of packets with TCP Dup ACK and TCP Retransmissions. The destinations of the TCP Dup and TCP retransmissions are to most of the computers on the network but there are some that are far more than others.

What could this problem be caused by?


Posted 2012-07-09T19:57:28.050

Reputation: 41

1Dup acks and retransmissions are a typical a sign of timeouts due to network congestion, but can mean other things. Network performance issues are not always as simple as looking at a pcap. What is your workflow like (ie, what type of data/applications, how much do you move across the network, how often are new connections made, do you use encryption anywhere)? And for setup, what protocol are you using? what is the link rate of the clients? what is the mtu on clients and router, how long are your cable runs, number of hops between clients? There is a lot more to clarify, but that is a start. – MaQleod – 2012-07-09T20:06:26.430

there doesn't seem like there is ever lot of bandwidth being used when i look at a iftop. Almost all of the traffic is though the web but there is a lot of traffic that we use a vpn with ipsec. – monkthemighty – 2012-07-09T21:56:55.630



It's quite likely that your router's Ethernet card sucks, or is not set up correctly for this kind of use.

Modern server- (or router-) class gigabit Ethernet cards provide services like interrupt coalescing and Large Receive Offload (LRO) to keep the host processor from getting overloaded with per-packet interrupts. Other offloading features like Transmit Segmentation Offload (TSO) and hardware checksumming also help keep the host processor less busy, but aren't necessarily interrupt-related.

Make sure your Ethernet adapter is capable of these things and that you have them all fully enabled. If it's not capable of interrupt coalescing and LRO, consider upgrading to a good server-class Ethernet NIC.


Posted 2012-07-09T19:57:28.050

Reputation: 84 656

I looked up my nic and it is a RTL8111/8168B which the only thing i could find about it is that it is used in laptops and other normal computers. Also when I ran lshw -class network to find out the nic I found that one of the cards says its size is 100MB/s and the other one is 1GB/s but the capacity is 1GB/s on both of them. could this be a problem or should i just get a better network card? – monkthemighty – 2012-07-09T21:35:46.520

@monkthemighty If one of them is connected to your business ISP's broadband modem, it might make sense for it to be only 100 megabit instead of 1 gigabit. But Realtek isn't known for being in the business of making enterprise-class chips; they're basically a no-name vendor focused on bargain-basement stuff. Broadcom, Marvell, and Intel are some of the vendors known for making enterprise-class Ethernet chipsets (although they each have low-end stuff too). – Spiff – 2012-07-09T21:55:20.313

@monkthemighty Then again, that's tangential to the point of my Answer, which is that you need to look at Interrupt Coalescing and LRO. If the Realtek chipset has those offloading features I mentioned, make sure they're turned on. If it doesn't have those features, you probably need to buy a card that does. You've found an indication that your box gets interrupt-bound while processing lots of traffic. That's a pretty good sign that you need a NIC that reduces the number of interrupts your processor has to service. – Spiff – 2012-07-09T21:58:03.943

how would i find out if my nic supports interrupt coalescing and LRO? – monkthemighty – 2012-07-11T19:58:30.617

@monkthemighty Check with the chip or board vendor, or check with whoever maintains the driver you're using. I'm not enough of a Linux guy to advise you on how to use Linux tools to check on that. It might be worth asking a separate Question here on Super User. – Spiff – 2012-07-11T20:17:42.917


The short answer to your question is yes, these are signs of a router that cannot handle the load it is being asked to handle. The CPU is spending most of its time figuring how to handle packets it has received and higher-level operations are getting starved.

The obvious solution is to replace the router with one using more capable hardware. However, it may be possible to optimize the router's configuration.

For example, say you have a bunch of ports that are blocked. If you test each blocked port with a rule, then lots of traffic will have to be tested by each of those rules. If 95% of your traffic is to port 80, adding an "allow" rule at the top will let most of the traffic skip most of the rules. Similarly, adding an "accept if it's part of an established connection" rule at the top if the input chain can help.

The router may also be either running low on memory or running out of connection slots. When the router is out of connection slots, it will refuse to establish new connections. When things are bad, see if net.netfilter.nf_conntrack_count is close to net.netfilter.nf_conntrack_max. If it is, and you have the memory, raise the limit. If you don't have the memory, you can reduce the timeouts a bit.

David Schwartz

Posted 2012-07-09T19:57:28.050

Reputation: 58 310


If you're using a Wifi router then it is probably that you are suffering from buffer bloat. This is a temporary condition that is fixed by cycling the router's power.


Posted 2012-07-09T19:57:28.050

Reputation: 249