Ethernet Products
Determine ramifications of Intel® Ethernet products and technologies
4811 Discussions

Problem with Intel Gigabit ET Dual Port Server Adapter 82576GB

idata
Employee
4,886 Views

Hi all, i have a problem with this kind of NIC: i have bought some of this nic to use"Ipsecurity Offload" functions. i have installed with latest drivers (Intel Proset 15.5) and configured as suggested, but i have the same performance like a stantard NIC.

just a note: in Intel FAQ, there are some setting to apply to the NIC... this setting are availabe only in standard windows 2008 drivers.... after i have installed intell proset, this parameters diappear and i can check or uncheck only the option for "IPsec Offload" on the nic

thk for your answers

Mak

0 Kudos
14 Replies
Mark_H_Intel
Employee
1,392 Views

Follow these steps to enable IPsec Offload on an adapter port in Windows* Device Manager:

  1. Select Advanced tab

     

  2. Select TCP/IP Offloading Options. You will find that option near the botto of the settings list.

     

  3. Click the Properties button

     

  4. Check IPsec Offload

     

  5. Click OK

     

  6. Click OK

     

Repeat the steps for each port where you want to enable the offloading.

0 Kudos
idata
Employee
1,392 Views

Thank Mark for your answer, the problem is that I have already done this operation on all nic, but there are no changes in CPU performance or throughput as no features for IPSEC selected. just a note: in intel documentation (FAQ: IP Security (IPSec) Offload) is wrote that there are 4 possible configuration that i can't find in NIC's Advanced Tab (sorry for my english, but it's not my first language), but i can't find it

thank again

Mak

0 Kudos
idata
Employee
1,392 Views

Hi all, here 3 tests done to explain my problem.

I have tryed to uninstall and reinstall the software and re-done some tests.

The environment is:

- N° 2 servers HP DL380G6

- Same subnet (no firevall between the 2 servers)

- Fresh installation of drivers in Pro-set 15.5 package

- Fault Tollerance Teaming

- Speed 1.0Gbit forced

- Windows 2008 x64 sp2 (NOT R2 version)

Test 1 (IPSEC enabled – IPSEC Offload on NIC disabled):

E:\FTPStart>ftp XXXXXXXXXXX

Connected to XXXXXXXXXXX.

220 Microsoft FTP Service

User (XXXXXXXXXXX:(none)): anonymous

331 Anonymous access allowed, send identity (e-mail name) as password.

Password:

230 Anonymous user logged in.

ftp> cd psitof00005p

250 CWD command successful.

ftp> bin

200 Type set to I.

ftp> put prova_500mb.exe

200 PORT command successful.

150 Opening BINARY mode data connection for prova_500mb.exe.

226 Transfer complete.

ftp: 605410472 bytes sent in 71,33Seconds 8487,58Kbytes/sec.

ftp> put prova_500mb.exe

200 PORT command successful.

150 Opening BINARY mode data connection for prova_500mb.exe.

226 Transfer complete.

ftp: 605410472 bytes sent in 73,58Seconds 8227,47Kbytes/sec.

ftp> bye

Test 2 (IPSEC enabled – IPSEC Offload on NIC enabled):

E:\FTPStart>ftp XXXXXXXXXXX

Connected to XXXXXXXXXXX.

220 Microsoft FTP Service

User (XXXXXXXXXXX:(none)): anonymous

331 Anonymous access allowed, send identity (e-mail name) as password.

Password:

230 Anonymous user logged in.

ftp> cd psitof0...

0 Kudos
Michael_C_Intel
Employee
1,393 Views

Hi Mak,

Mike from the Intel wired Ethernet group here. Sorry to hear you're having trouble with your IPsec offload connection; I'll do my best to help get you up and going. I'd like to get a little information about your setup to help troubleshoot the problem you're seeing.

1) Can you confirm that the adapters on both ends of your FTP connection support IPsec offload, and that it's enabled on both? If IPsec offload is unavailable (or disabled) on either end, then software will be doing all the IPsec processing for that side and the results you'll see for the connection will be much slower than with IPsec disabled altogether.

2) If IPsec offload is supported and enabled on both sides of the connection, can you confirm that the IPsec algorithm in the rule you're using is supported for offload by the Intel(r) Gigabit ET Dual Port Server Adapter?

3) From your notes, I see that the adapter is part of a team. For IPsec offload to work in a team, all members of the team must support it. Can you confirm that the adapters in your team all support IPsec offload?

Please let me know if all of the above are true for your environment, and we'll go from there.

0 Kudos
idata
Employee
1,393 Views

Hi Mike,

thanks for your answer... I'll try to answer to all your question (sorry, but english is not my first language, so I will try to be clearest I can).

As I told, we have bought some NIC Intel Gigabit ET Dual Port Server Adapter 82576GB to made test with IPSEC Offload with this configuration on the servers:

N°4 Servers:

-- HP DL380 G6 - Quad core processor - 4 Gb Ram

-- Same subnet (no firewall between the 2 servers)

-- Fault Tollerance Teaming / Nic-to-Nic without teaming

-- Speed 1.0 Gbit forced

-- Windows 2008 x64 sp2 (NOT R2 version)

in Windows Domain

-- Intel Gigabit ET Dual Port Server Adapter 82576GB

I tested file transfert with:

- 2 servers with Teaming (using Intel ProSet 15.5 software and drivers)

- 2 servers without Teaming (using drivers in Intel ProSet 15.5 package, but without Intel Proset software installed)

- 2 servers without Teaming (using Intel ProSet 15.5 software and drivers)

- 2 servers without Teaming and cross cable to exclude network problems (using Intel ProSet 15.5 software and drivers)

Software used to made tests:

-- Microsoft FTP Server

About yor question:

1) yes; all the adapters support IPsec Offload and is enabled in all configurations (without Intel Proset is possible to specify 3 kind of settings, but nothing change): 1 of the 4 cores is near 95% and realy slow throughput (you can see il the previous post all file transfert test with and without IpSec Offload)

2) I haven't understood what do you mean with "can you confirm that the IPsec algorithm in the rule you're using is supported for offload by the Intel(r) Gigabit ET Dual Port Server Adapter". We are trying to made a simple file transfert with an active FTS server.

3) yes; i have enabled IPsec offload on all the members of the team and enabled on all the ports too when i tryied without teaming

Thanks again

Mak

0 Kudos
Michael_C_Intel
Employee
1,393 Views

Hi Mak,

Thanks for the good information, this helps a lot. It seems that IPsec offload is enabled, but the OS is not asking the NIC to offload the IPsec connection for your FTP session. Let's see if we can figure out why.

Can you tell me the parameters for the IPsec rule(s) you have enabled on your system? You can view the parameters using the netsh command from a command prompt. I'm having some technical difficulty that's preventing me from posting a screenshot of the steps to view the rules, so Mark H has graciously offered to post it for me. Please look for his post shortly after this one.

Please let me know the output of your IPsec rules.

Mike

Message was edited by: Mike Conover for clarity.

Mark_H_Intel
Employee
1,393 Views

Here is the screenshot from Mike:

0 Kudos
idata
Employee
1,393 Views

Hi Mike,

an other information for you: i have found this Microsoft's article (http://technet.microsoft.com/en-us/library/dd125367(WS.10).aspx http://technet.microsoft.com/en-us/library/dd125367(WS.10).aspx) and tested on a couple of servers.

- disabled all on-board the nics, leaving only ET Nics configured as team (on both servers);

- added the registry keys as requested in the document on both servers;

- rebooted the servers

nothing change as i have seen until now in my tests, but there is a strange thing: at the end of the document, Microsoft suggest to use Performance Monitor to verify if IPSec offload is working: all counters stay to 0 during all FTP transfert file

that all

thaks

Mak

0 Kudos
idata
Employee
1,393 Views

Hi all,

i have made this test and the result is:

"no rules match specified criteria."

is it possible that this doesn't work because IPSec is implemented by AD Policy? a note: windows firewall an all machines is disabled

Thanks again

Mak

0 Kudos
Michael_C_Intel
Employee
1,393 Views

Hi Mak,

My apologies for the delayed response. I agree that your issue may be due to implementing IPsec via Active Directory/Group Policy.

Intel(r) Gigabit ET Dual Port Server Adapters support 128-bit Advanced Encryption Standard (AES) security algorithms for offload. I did some testing in Windows Server 2008 R1 and R2, and I could not find a way to enable AES-based IPsec via Group Policy on either OS. The available options in the Group Policy GUI seem to be limited to SHA1 or MD5 for authentication and DES or 3DES for encryption.

I've sent a message off to some colleagues who have Windows IPsec expertise, to find out if they know of a way to enable AES using Group Policy/Active Directory. I'll let you know as soon as I find out.

Thanks and sorry again for the delay,

Mike

0 Kudos
idata
Employee
1,393 Views

Thank you very much Mike.

tell me if I can do something to help you or if you need other informations.

Mak

Michael_C_Intel
Employee
1,393 Views

Hi Mak,

I checked with several colleagues, and everyone agreed that there does not seem to be a way to set up an AES-based IPsec policy under the Group Policy GUI.

However, this MSDN link explains how you might be able to use netsh to connect to a GPO and then use netsh to create an AES-based IPsec policy:

http://technet.microsoft.com/en-us/library/cc947798(WS.10).aspx http://technet.microsoft.com/en-us/library/cc947798(WS.10).aspx

Please let me know if this will work for you, if you need any help with creating your IPsec rule under netsh, or if you have any further questions.

Thanks,

Mike

0 Kudos
idata
Employee
1,393 Views

Hi Mike and Mark,

sorry for the delay.... I'm really happy to tell that now our Nics work really well: ftp transfert with offload Ipsec is really fast... 10 seconds for 500 MB instead 5 seconds without IPsec (and as I told 62 seconds with Ipsec without Offloads).

Now we are studying a way to apply generic firewall's rules with domain policy, but it is not an Intel's issue... maybe we will call directly Microsoft for support.

Really thanks: without your support we will never solve this problem.

Mak

p.s.: if is it possible, send me a mail to write an official thanks for both: in the same day I wrote here first time, I opened a case to our vendor and to Intel Official support with the same informations... no answer from the first and 3 standard answer from the second... you solved the problem! Really a great job!!!!

thanks again

Mak

0 Kudos
idata
Employee
1,393 Views

the only way is to configure windows firewall via gpo and there is a really good (not really fast to read) document from Microsoft:

Windows Firewall with Advanced Security

Design Guide and Deployment Guide

thx again

Mak

0 Kudos
Reply