14 Replies Latest reply on Oct 27, 2010 8:48 AM by mak_j_b

    Problem with Intel Gigabit ET Dual Port Server Adapter 82576GB

    mak_j_b

      Hi all, i have a problem with this kind of NIC: i have bought some of this nic to use"Ipsecurity Offload" functions. i have installed with latest drivers (Intel Proset 15.5) and configured as suggested, but i have the same performance like a stantard NIC.

      just a note: in Intel FAQ, there are some setting to apply to the NIC... this setting are availabe only in standard windows 2008 drivers.... after i have installed intell proset, this parameters diappear and i can check or uncheck only the option for "IPsec Offload" on the nic

      thk for your answers

      Mak

        • 1. Re: Problem with Intel Gigabit ET Dual Port Server Adapter 82576GB
          mark_h_@intel

          Follow these steps to enable IPsec Offload on an adapter port in Windows* Device Manager:

          1. Select Advanced tab

          2. Select TCP/IP Offloading Options. You will find that option near the botto of the settings list.

          3. Click the Properties button

          4. Check IPsec Offload

          5. Click OK

          6. Click OK

          Repeat the steps for each port where you want to enable the offloading.

          • 2. Re: Problem with Intel Gigabit ET Dual Port Server Adapter 82576GB
            mak_j_b

            Thank Mark for your answer, the problem is that I have already done this operation on all nic, but there are no changes in CPU performance or throughput as no features for IPSEC selected. just a note: in intel documentation (FAQ: IP Security (IPSec) Offload) is wrote that there are 4 possible configuration that i can't find in NIC's Advanced Tab (sorry for my english, but it's not my first language), but i can't find it

            thank again

            Mak

            • 3. Re: Problem with Intel Gigabit ET Dual Port Server Adapter 82576GB
              mak_j_b

              Hi all, here 3 tests done to explain my problem.

               

               

              I have tryed to uninstall and reinstall the software and re-done some   tests.

              The environment  is:

              - N° 2 servers HP  DL380G6

              - Same subnet (no  firevall between the 2 servers)

              - Fresh installation of  drivers in Pro-set 15.5 package

              - Fault Tollerance  Teaming

              - Speed 1.0Gbit  forced

              - Windows 2008 x64 sp2  (NOT R2 version)

               

              Test  1 (IPSEC enabled – IPSEC Offload on NIC disabled):

               

              E:\FTPStart>ftp  XXXXXXXXXXX

              Connected to  XXXXXXXXXXX.

              220 Microsoft FTP  Service

              User  (XXXXXXXXXXX:(none)): anonymous

              331 Anonymous access  allowed, send identity (e-mail name) as password.

              Password:

              230 Anonymous user  logged in.

              ftp> cd  psitof00005p

              250 CWD command  successful.

              ftp>  bin

              200 Type set to  I.

              ftp> put  prova_500mb.exe

              200 PORT command  successful.

              150 Opening BINARY mode  data connection for prova_500mb.exe.

              226  Transfer complete.

              ftp:  605410472 bytes sent in 71,33Seconds 8487,58Kbytes/sec.

              ftp> put  prova_500mb.exe

              200 PORT command  successful.

              150 Opening BINARY mode  data connection for prova_500mb.exe.

              226  Transfer complete.

              ftp:  605410472 bytes sent in 73,58Seconds 8227,47Kbytes/sec.

              ftp>  bye

               

              Test  2 (IPSEC enabled – IPSEC Offload on NIC enabled):

               

              E:\FTPStart>ftp  XXXXXXXXXXX

              Connected to  XXXXXXXXXXX.

              220 Microsoft FTP  Service

              User (XXXXXXXXXXX:(none)): anonymous

              331 Anonymous access  allowed, send identity (e-mail name) as password.

              Password:

              230 Anonymous user  logged in.

              ftp> cd  psitof00005p

              250 CWD command  successful.

              ftp>  bin

              200 Type set to  I.

              ftp> put  prova_500mb.exe

              200 PORT command  successful.

              150 Opening BINARY mode  data connection for prova_500mb.exe.

              226  Transfer complete.

              ftp:  605410472 bytes sent in 59,90Seconds 10107,69Kbytes/sec.

              ftp> put  prova_500mb.exe

              200 PORT command  successful.

              150 Opening BINARY mode  data connection for prova_500mb.exe.

              226  Transfer complete.

              ftp:  605410472 bytes sent in 67,99Seconds 8903,88Kbytes/sec.

              ftp>  bye

               

              Test  3 (IPSEC disabled – IPSEC Offload on NIC disabled):

               

              E:\FTPStart>ftp  XXXXXXXXXXX

              Connected to  XXXXXXXXXXX.

              220 Microsoft FTP  Service

              User  (XXXXXXXXXXX:(none)): anonymous

              331 Anonymous access  allowed, send identity (e-mail name) as password.

              Password:

              230 Anonymous user  logged in.

              ftp> cd  psitof00005p

              250 CWD command  successful.

              ftp>  bin

              200 Type set to  I.

              ftp> put  prova_500mb.exe

              200 PORT command  successful.

              150 Opening BINARY mode  data connection for prova_500mb.exe.

              226  Transfer complete.

              ftp:  605410472 bytes sent in 5,25Seconds 115426,21Kbytes/sec.

              ftp>  bye

              221

               

               

              Thanks  again

              Mak

              • 4. Re: Problem with Intel Gigabit ET Dual Port Server Adapter 82576GB
                mconover

                Hi Mak,

                 

                Mike from the Intel wired Ethernet group here.  Sorry to hear you're having trouble with your IPsec offload connection; I'll do my best to help get you up and going.  I'd like to get a little information about your setup to help troubleshoot the problem you're seeing.

                 

                1) Can you confirm that the adapters on both ends of your FTP connection support IPsec offload, and that it's enabled on both?  If IPsec offload is unavailable (or disabled) on either end, then software will be doing all the IPsec processing for that side and the results you'll see for the connection will be much slower than with IPsec disabled altogether.

                 

                2) If IPsec offload is supported and enabled on both sides of the connection, can you confirm that the IPsec algorithm in the rule you're using is supported for offload by the Intel(r) Gigabit ET Dual Port Server Adapter?

                 

                3) From your notes, I see that the adapter is part of a team.  For IPsec offload to work in a team, all members of the team must support it.  Can you confirm that the adapters in your team all support IPsec offload?

                 

                Please let me know if all of the above are true for your environment, and we'll go from there.

                • 5. Re: Problem with Intel Gigabit ET Dual Port Server Adapter 82576GB
                  mak_j_b

                  Hi Mike,

                  thanks for your answer... I'll try to answer to all your question (sorry, but english is not my first language, so I will try to be clearest I can).

                  As I told, we have bought some NIC Intel Gigabit ET Dual Port Server Adapter 82576GB to made test with IPSEC Offload with this configuration on the servers:

                   

                  N°4 Servers:

                  -- HP  DL380 G6 - Quad core processor - 4 Gb Ram

                  -- Same subnet (no  firewall between the 2 servers)

                  -- Fault Tollerance  Teaming / Nic-to-Nic without teaming

                  -- Speed 1.0 Gbit  forced

                  -- Windows 2008 x64 sp2 (NOT R2 version)

                  in Windows Domain

                   

                  -- Intel Gigabit ET Dual Port Server Adapter 82576GB

                   

                  I tested file transfert with:

                  - 2 servers with Teaming (using Intel ProSet 15.5 software and drivers)

                  - 2 servers without Teaming (using drivers in Intel ProSet 15.5 package, but without Intel Proset software installed)

                  - 2 servers without Teaming (using Intel ProSet 15.5 software and drivers)

                  - 2 servers without Teaming and cross cable to exclude network problems (using Intel ProSet 15.5 software and drivers)

                   

                   

                  Software used to made tests:

                  -- Microsoft FTP Server

                   

                  About yor question:

                   

                  1) yes; all the adapters support IPsec Offload and is enabled in all configurations (without Intel Proset is possible to specify 3 kind of settings, but nothing change): 1 of the 4 cores is near 95% and realy slow throughput (you can see il the previous post all file transfert test with and without IpSec Offload)

                   

                  2) I haven't understood what do you mean with "can you confirm that the IPsec algorithm in the rule you're using is supported for offload by the Intel(r) Gigabit ET Dual Port Server Adapter". We are trying to made a simple file transfert with an active FTS server.

                   

                  3) yes; i have enabled IPsec offload on all the members of the team and enabled on all the ports too when i tryied without teaming

                   

                  Thanks again

                  Mak

                  • 6. Re: Problem with Intel Gigabit ET Dual Port Server Adapter 82576GB
                    mak_j_b

                    Hi Mike,

                    an other information for you: i have found this Microsoft's article (http://technet.microsoft.com/en-us/library/dd125367(WS.10).aspx) and tested on a couple of servers.

                    - disabled all on-board the nics, leaving only ET Nics configured as team (on both servers);

                    - added the registry keys as requested in the document on both servers;

                    - rebooted the servers

                     

                    nothing change as i have seen until now in my tests, but there is a strange thing: at the end of the document, Microsoft suggest to use Performance Monitor to verify if IPSec offload is working: all counters stay to 0 during all FTP transfert file

                    that all

                    thaks

                    Mak

                    • 7. Re: Problem with Intel Gigabit ET Dual Port Server Adapter 82576GB
                      mconover

                      Hi Mak,

                       

                      Thanks for the good information, this helps a lot.  It seems that IPsec offload is enabled, but the OS is not asking the NIC to offload the IPsec connection for your FTP session.  Let's see if we can figure out why.

                       

                      Can you tell me the parameters for the IPsec rule(s) you have enabled on your system?  You can view the parameters using the netsh command from a command prompt.  I'm having some technical difficulty that's preventing me from posting a screenshot of the steps to view the rules, so Mark H has graciously offered to post it for me.  Please look for his post shortly after this one.

                       

                      Please let me know the output of your IPsec rules.

                       

                      Mike

                       

                      Message was edited by: Mike Conover for clarity.

                      • 8. Re: Problem with Intel Gigabit ET Dual Port Server Adapter 82576GB
                        mark_h_@intel

                        Here is the screenshot from Mike:

                        showrule.jpg

                        • 9. Re: Problem with Intel Gigabit ET Dual Port Server Adapter 82576GB
                          mak_j_b

                          Hi all,

                          i have made this test and the result is:

                           

                          "no rules match specified criteria."

                           

                          is it possible that this doesn't work because IPSec is implemented by AD Policy? a note: windows firewall an all machines is disabled

                          Thanks again

                          Mak

                          • 10. Re: Problem with Intel Gigabit ET Dual Port Server Adapter 82576GB
                            mconover

                            Hi Mak,

                             

                            My apologies for the delayed response.  I agree that your issue may be due to implementing IPsec via Active Directory/Group Policy.

                            Intel(r) Gigabit ET Dual Port Server Adapters support 128-bit Advanced Encryption Standard (AES) security algorithms for offload.  I did some testing in Windows Server 2008 R1 and R2, and I could not find a way to enable AES-based IPsec via Group Policy on either OS.  The available options in the Group Policy GUI seem to be limited to SHA1 or MD5 for authentication and DES or 3DES for encryption.

                             

                            I've sent a message off to some colleagues who have Windows IPsec expertise, to find out if they know of a way to enable AES using Group Policy/Active Directory.  I'll let you know as soon as I find out.

                             

                            Thanks and sorry again for the delay,

                            Mike

                            • 11. Re: Problem with Intel Gigabit ET Dual Port Server Adapter 82576GB
                              mak_j_b

                              Thank you very much Mike.

                              tell me if I can do something to help you or if you need other informations.

                              Mak

                              • 12. Re: Problem with Intel Gigabit ET Dual Port Server Adapter 82576GB
                                mconover

                                Hi Mak,

                                 

                                I checked with several colleagues, and everyone agreed that there does not seem to be a way to set up an AES-based IPsec policy under the Group Policy GUI.

                                 

                                However, this MSDN link explains how you might be able to use netsh to connect to a GPO and then use netsh to create an AES-based IPsec policy:

                                http://technet.microsoft.com/en-us/library/cc947798(WS.10).aspx

                                 

                                Please let me know if this will work for you, if you need any help with creating your IPsec rule under netsh, or if you have any further questions.

                                 

                                Thanks,

                                Mike

                                • 13. Re: Problem with Intel Gigabit ET Dual Port Server Adapter 82576GB
                                  mak_j_b

                                  Hi Mike and Mark,

                                  sorry for the delay.... I'm really happy to tell that now our Nics work really well: ftp transfert with offload Ipsec is really fast... 10 seconds for 500 MB instead 5 seconds without IPsec (and as I told 62 seconds with Ipsec without Offloads).

                                  Now we are studying a way to apply generic firewall's rules with domain policy, but it is not an Intel's issue... maybe we will call directly Microsoft for support.

                                  Really thanks: without your support we will never solve this problem.

                                  Mak

                                   

                                  p.s.: if is it possible, send me a mail to write an official thanks for both: in the same day I wrote here first time, I opened a case to our vendor and to Intel Official support with the same informations... no answer from the first and 3 standard answer from the second... you solved the problem! Really a great job!!!!

                                   

                                  thanks again

                                  Mak

                                  • 14. Re: Problem with Intel Gigabit ET Dual Port Server Adapter 82576GB
                                    mak_j_b

                                    the only way is to configure windows firewall via gpo and there is a really good (not really fast to read) document from Microsoft:

                                     

                                    Windows Firewall with Advanced Security

                                    Design Guide and Deployment Guide

                                     

                                    thx again

                                    Mak