Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Server 2012R2

Posted on 2014-04-23
16
2,044 Views
Last Modified: 2014-04-28
Best Practices Analyzer on Server 2012 Server installed as VM on Server2012R2.
Warning Enable IPsec Task Offload v2(TOv2) on a network adaptor.

BPA says there are TOv2 capable adaptors.

Do not see this exact feature on the VM adaptor or the Physical machines adaptors.
The physical server BPA does not report the same warning.
There is an IPsecV2 offload on the physical machine and it is already enables.  I'm confident this is not a big concern, but hopefully someone know how to make BPA happy.
Thanks
0
Comment
Question by:kbettencourt
  • 8
  • 8
16 Comments
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40017783
See if the Powershell command  "Get-NetAdapterIPsecOffload" gives you any feedback, if you get nothing in return it  means the feature is probably not available on any of your network adapters... We'll probably have to search deeper...

If it is available however, but it is not enabled, then you can normally just enable it with "Enable-NetAdapterIPsecOffload -Name *. "
0
 

Author Comment

by:kbettencourt
ID: 40017804
Get-NetAdapterIPsecOffload

Name                           Enabled         SaOffloadCapacityEnabled
----                           -------         ------------------------
Ethernet                       False           0

Looking "Ethernet"
IPSec Offload = Auth Header and ESP Enabled
Large Send Offload Version 2 is enabled for IPV4 and IPV6
Thanks
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40017828
So was it enabled, or you enabled it?

Is the warning gone in BPA?
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:kbettencourt
ID: 40017851
sorry for not being clear.  Did not change anything, just looked at the advanced tab of the ethernet adaptor and copied the setting that looked like they may have been relevant.
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40017876
Ah ok ... No problem ...

It's indeed not enabled, the "false" statement means that the feature is not enabled but available, so you can use this

Enable-NetAdapterIPsecOffload -Name *. 

Open in new window


To enable it ...

After that the warning should go away...
0
 

Author Comment

by:kbettencourt
ID: 40017911
PS C:\Users\chris.KT> Enable-NetAdapterIPsecOffload -Name *.
PS C:\Users\chris.KT> Get-NetAdapterIPsecOffload

Name                           Enabled         SaOffloadCapacityEnabled
----                           -------         ------------------------
Ethernet                       False           0


PS C:\Users\chris.KT>

Appears to take the command but does not reflect the change.  Need to disable and re-enable it or cycle some service?

Ran another BPA scan but no change.

Am I not entering the command correctly?  Syntax correct?
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40017954
Hmmm...

Normally that should be enough, does it restart your network adapter when you perform the command?

Try this maybe:

Enable-NetAdapterIPsecOffload –Name Ethernet

Open in new window


Maybe it helps specifying the name ... Also, make sure you run the Powershell window with administrator rights (right-click run as administrator)... Just to be sure.

You can also add -Confirm behind the command ... Maybe it will give us more info
0
 

Author Comment

by:kbettencourt
ID: 40017965
It did not restart the adapter.
I did try several variation including the name internet as you suggest.

unless you have any other ideas, I'll restart the VM tonight.

thanks for you help!
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40017981
Ok, just make sure you use an elevated prompt to perform the command ...

Besides trying it with some options like so:

Enable-NetAdapterIPsecOffload –Name Ethernet  -Confirm -IncludeHidden

Open in new window

'
We'll need to see if a reboot triggers something ...
0
 

Author Comment

by:kbettencourt
ID: 40019650
Restarted the server and ran the BPA again with not change.
Given this error is on a VM, it makes little sense.  All of the drivers are virtual and it is reporting disabled.
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40019872
It's strange that performing the command doesn't do anything, it should at least restart the network card ...

I wish I could reproduce this, but I haven't got Hyper-V running at the moment, I've tried on other virtual Windows 2012 machines but their vnics don't support IPsecOffload.

You can check if IPsec offloading is enabled for the vm in Hyper-V under the network card --> Hardware Acceleration.

ipsec offload
Maybe it needs to be set there first ... If not already done...
0
 

Author Comment

by:kbettencourt
ID: 40020928
Interesting, never noticed this option before.
IPsec task offloading enable is checked with max number of 512. must be default I am sure I did not change it.

Virtual machine queue is enabled
SR-IOV is not checked

Thanks again for your help.
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40020962
No problem ...

The only thing left I found is the following:

- The Hyper-V Host must have rss and tcp offload enabled on all the necessary physical nics
- The virtual nics must be synthetic nics, not the emulated kind.
- In Hyper-V manager and the virtual nics must have "Enable virtual network optimizations turned on"

After all these checks and configs Rss and tcp offload will normally be automatically turned on in the guest vm now...
0
 

Author Comment

by:kbettencourt
ID: 40027688
The only thing I am not sure of is whether the NIC is synthetic or emulated.
I created Gen1 VMs, so I think that means they are emulated.  
Just tried to add another nic on an offline VM and it is not giving me any options other than legacy and software. So I assume systhetic is not available in a gen1 VM.
0
 
LVL 25

Accepted Solution

by:
Zephyr ICT earned 500 total points
ID: 40027860
It should be available on gen1 VM's though ... They can have Synthetic network adapters but requires drivers (Hyper-V integration components/services), they do not offer PXE though, so if you need that ...
0
 

Author Closing Comment

by:kbettencourt
ID: 40027884
The non-legacy adaptor is the one that requires integration components/services.
So this VM is using the non-legacy adaptor.
Will close the issue for now.  If you have come across any other ideas, please let me know.
Thanks again for your help!
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Giving access to ESXi shell console is always an issue for IT departments to other Teams, or Projects. We need to find a way so that teams can use ESXTOP for their POCs, or tests without giving them the access to ESXi host shell console with a root …
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
In this video tutorial I show you the main steps to install and configure  a VMware ESXi6.0 server. The video has my comments as text on the screen and you can pause anytime when needed. Hope this will be helpful. Verify that your hardware and BIO…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question