What "Packet(UDP) cannot be sent. reason: Network congestion" means actually?

Options
mMontana
mMontana Posts: 1,337  Guru Member
First Anniversary 10 Comments Friend Collector First Answer
edited May 4 in Security

USG40, firmware V4.73(AALA.2)ITS-23WK23-r109633 (latest available, lab version).

This act as VPN endpoint for a lot of connections (8 gateways, 2 of these are Client2Server, 11 connections with 1 disabled currently). One of the SiteToSite connections use SQL+CIFS application, is the "most used" site according to this service.

Worked nicely until 2/3 weeks ago.


Currently this "most used site" complain about lack of speed and smoothness of the application. Logs reports several times at different hours
Packet(UDP) cannot be sent. reason: Network congestion
message is from the WAN interface IP and to several counterpars: public IPs of the SiteToSite gateways or of the Client2Site clients (which uses IPSec or L2TP/IPSec)

BWM is enabled.
WAN1 reports this setup as bandwidth: Egress 9571kbps, Ingress 40945kbps.
Egress yesterday was reduced by 10% (was 10576). Device was also rebooted yesterday.
My connection is a VDSL, CPE of the provider reports as negotiated 10,65mbps, roughly 10905 kbps.
CPU usage is roughly at 50%, memory usage 42%. There are 38 security policies, not all enabled, 3 NAT sections currently disabled. No AP Controller.
Currently the log keep being "flooded" with message Packet(UDP) cannot be sent. reason: Network congestion

The message is not reportef into handbook (ZLD4.60) or User manual (V4.73 Ed1). I'm also trying to get support from my ISP. I can guess that the device is not sending data, but I don't get at which level.

I'm not allowed to remote access the device, however I can share some configuration screenshot.


First goal is understanding what's appening at gateway level, final goal is restore the smooth behavior that the installation had until few weeks ago. I dont' blame Zyxel device/software, it's the only device which is not "under ISP control" so the only one that allows me to tune things up.

All Replies

  • PeterUK
    PeterUK Posts: 2,856  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    The problem might be that you set your Ingress which I think deals with packet dropping differently then Egress  

  • mMontana
    mMontana Posts: 1,337  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited May 4
    Options

    How could BWM know the connection capabilities without an Egress value? would stumble constantly trying to send data… that the CPE cannot deliver (and cannot sense anything from ethernet connectio).

    I mean… it's IPSec that's saying "i can't", not BWM that says "too much data".
    On one hand could make sense, on the other… It's poorly explained. The "refused" service complain, not the bumper.

    Edit: I changed Egress to an unreasonable value for my connection… and IPSec keep logging Packet(UDP) cannot be sent. reason: Network congestion

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,462  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    After enabling BWM, the packets will be controlled by a queue, potentially reaching the maximum limitation in bits per second. During such instances, certain ESP packets may fail to send, triggering a "Network congestion" alert.

  • mMontana
    mMontana Posts: 1,337  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    I'll try to rephrase, correct me if I'm wrong.

    IPSec cannot deliver packages due to BMW, so it reportis it. However BWM do not report anything into log, because no rule is "touched" from this issue.

    I got it correctly?

  • DeanH
    DeanH Posts: 46  Freshman Member
    First Anniversary 10 Comments
    edited May 10
    Options

    Hello mMontana,

    What do you have the BWM guaranteed bandwidth set to, currently, for IPSec traffic?

    The BWM should be using the egress port bandwidth limit to determine the available bandwidth, and from there put guaranteed traffic first, then everything else following by priority levels.

  • mMontana
    mMontana Posts: 1,337  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    I asked for a specific Howto, because current one is related to "services", but not actually for the VPN connection.

  • mMontana
    mMontana Posts: 1,337  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Sorry to bug you, @Zyxel_Cooldia Was my rephrase correct (and therefore) I understood correctly your answer?

Security Highlight