Ethernet Products
Determine ramifications of Intel® Ethernet products and technologies
4810 Discussions

esp-hw-offload of 82599es on CentOS7 slow down the ipsec connection

guoc
Beginner
2,146 Views

# Problem

i'm configuring libreswan but the bandwidth drop to 28Mbps from 5Gbps when we set nic-offload to auto or yes.

 

# system

CentOS 7 / Kernel 5.1.15(elrepo)

Libreswan 3.28(compiled from source)

 

CPU0: Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz 

Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection

 

# Ref

 

I created a github issue and posted our system information there: https://github.com/libreswan/libreswan/issues/252

0 Kudos
15 Replies
Caguicla_Intel
Moderator
1,901 Views

Hello 3000022544221.5622332363001172E12,

 

Thank you for posting in Intel Ethernet Communities. 

 

Please provide the System Support Utility log of your system. This will allow us to check your Adapter details and configuration. This would also help us to identify if this is an OEM or Intel retail version of Ethernet Adapter. Kindly refer to the steps below.

1- Download from https://downloadcenter.intel.com/product/91600/Intel-System-Support-Utility

2- Open SSU.exe

3- Mark the box "Everything" and then click "Scan".

4- When finished scanning, click "Next".

5- Click on "Save" and attach the file to a post.

 

Looking forward to your response.

 

Best regards,

Crisselle C

Intel Customer Support

A Contingent Worker at Intel

0 Kudos
guoc
Beginner
1,901 Views

Hi, because we use Linux, i ran the linux version of ssu under CentOS and this is the result it left to me.

0 Kudos
Caguicla_Intel
Moderator
1,901 Views

Hello 3000022544221.5622332363001172E12,

 

Thank you for the reply. We will check on your query and give you an update as soon as there is any findings.

 

Hoping for your patience.

 

We might post on this thread to ask an additional questions that would help us to further investigate on this matter.

 

Best regards,

Crisselle C

Intel Customer Support

A Contingent Worker at Intel

0 Kudos
Caguicla_Intel
Moderator
1,901 Views

Hello 3000022544221.5622332363001172E12,

 

We apologize for the delay on this matter.

 

We'd like to check if you have tried the latest ixgbe driver version 5.6.1

https://sourceforge.net/projects/e1000/files/ixgbe%20stable/5.6.1/

 

Looking forward to your reply.

 

Best regards,

Crisselle C

Intel Customer Support

A Contingent Worker at Intel

0 Kudos
Caguicla_Intel
Moderator
1,901 Views

Hello 3000022544221.5622332363001172E12,

 

We'd like to check if you have tried the latest ixgbe driver version 5.6.1 Please give us an update on this matter.

 

Awaiting to your reply.

 

Best regards,

Crisselle C

Intel Customer Support

A Contingent Worker at Intel

0 Kudos
guoc
Beginner
1,901 Views

Yes, we tried. and we figure out that, the driver support esp offload, but only in transport mode, not tunnel mode. not sure it's driver's or libreswan's issue.

however we have a another question after we setup a GRE tunnel over IPSec, to route between two subnet.

 

the interesting part is

  • GRE alone works perfectly
  • IPSec (tunnel mode, offload is on) alone, works perfectly
  • GRE + IPSec. no. the bandwidth is limited to 28Mbps

the setup already uses the latest ixgbe driver

0 Kudos
Caguicla_Intel
Moderator
1,901 Views

Hello 3000022544221.5622332363001172E12,

 

Thank for the prompt reply.

 

Please allow us to double check on your query. We will give you an update within 2-3 business days.

 

Hoping for your patience.

 

Best regards,

Crisselle C

Intel Customer Support

A Contingent Worker at Intel

0 Kudos
guoc
Beginner
1,901 Views

sorry, there is a mistake in my last reply. all ipsec configuration is transport mode

0 Kudos
Caguicla_Intel
Moderator
1,901 Views

Hello 3000022544221.5622332363001172E12,

 

Thank you for the patience on this matter.

 

We'd like to clarify your statement "all ipsec configuration is transport mode" are you referring to "IPSec (tunnel mode, offload is on) alone, works perfectly"

 

Does this mean that it should be "IPSec transport mode, offload is on works perfectly?"

 

Looking forward to your reply. 

 

Best regards,

Crisselle C

Intel Customer Support

A Contingent Worker at Intel

0 Kudos
Caguicla_Intel
Moderator
1,901 Views

Hello 3000022544221.5622332363001172E12,

 

We'd like to clarify your last statement on this thread, "all ipsec configuration is transport mode" are you referring to "IPSec (tunnel mode, offload is on) alone, works perfectly"

 

Does this mean that it should be "IPSec transport mode, offload is on works perfectly?"

 

Looking forward to your reply. 

 

Best regards,

Crisselle C

Intel Customer Support

A Contingent Worker at Intel

0 Kudos
guoc
Beginner
1,901 Views

yes. it should be "IPSec (transport mode, offload is on) works perfectly"

 

0 Kudos
Caguicla_Intel
Moderator
1,901 Views

Hello 3000022544221.5622332363001172E12,

 

Thank you for the confirmation.

 

We will continue to work on this matter and give you an update within 2-3 business days.

 

Hoping for your patience.

 

Best regards,

Crisselle C

Intel Customer Support

A Contingent Worker at Intel

0 Kudos
Caguicla_Intel
Moderator
1,901 Views

Hello 3000022544221.5622332363001172E12,

 

We apologize for the delay on this matter.

 

We would recommend to check with the e1000-devel mailing list on sourceforge website for further assistance.

https://sourceforge.net/projects/e1000/

 

If you have additional questions and clarifications, please let us know.

 

Best regards,

Crisselle C

Intel Customer Support

A Contingent Worker at Intel

0 Kudos
Caguicla_Intel
Moderator
1,901 Views

Hello 3000022544221.5622332363001172E12,

 

We'd like to check if you were able to check with e1000-devel regarding this matter. Let us know if you have additional questions and clarifications on this matter.

 

We look forward to your reply.

 

Best regards,

Crisselle C

Intel Customer Support

A Contingent Worker at Intel

0 Kudos
Caguicla_Intel
Moderator
1,901 Views

Hello 3000022544221.5622332363001172E12,

 

We hope that the e100-devel was able to help you with you request. Please be informed that we will now close this inquiry since we haven't receive any response on our previous follow up. If you have any other concern or additional questions, kindly post a new question.

 

Best regards,

Crisselle C

Intel Customer Support

A Contingent Worker at Intel

0 Kudos
Reply