Solved

Server 2012R2

Posted on 2014-04-23
16
1,899 Views
Last Modified: 2014-04-28
Best Practices Analyzer on Server 2012 Server installed as VM on Server2012R2.
Warning Enable IPsec Task Offload v2(TOv2) on a network adaptor.

BPA says there are TOv2 capable adaptors.

Do not see this exact feature on the VM adaptor or the Physical machines adaptors.
The physical server BPA does not report the same warning.
There is an IPsecV2 offload on the physical machine and it is already enables.  I'm confident this is not a big concern, but hopefully someone know how to make BPA happy.
Thanks
0
Comment
Question by:kbettencourt
  • 8
  • 8
16 Comments
 
LVL 25

Expert Comment

by:Zephyr ICT
Comment Utility
See if the Powershell command  "Get-NetAdapterIPsecOffload" gives you any feedback, if you get nothing in return it  means the feature is probably not available on any of your network adapters... We'll probably have to search deeper...

If it is available however, but it is not enabled, then you can normally just enable it with "Enable-NetAdapterIPsecOffload -Name *. "
0
 

Author Comment

by:kbettencourt
Comment Utility
Get-NetAdapterIPsecOffload

Name                           Enabled         SaOffloadCapacityEnabled
----                           -------         ------------------------
Ethernet                       False           0

Looking "Ethernet"
IPSec Offload = Auth Header and ESP Enabled
Large Send Offload Version 2 is enabled for IPV4 and IPV6
Thanks
0
 
LVL 25

Expert Comment

by:Zephyr ICT
Comment Utility
So was it enabled, or you enabled it?

Is the warning gone in BPA?
0
 

Author Comment

by:kbettencourt
Comment Utility
sorry for not being clear.  Did not change anything, just looked at the advanced tab of the ethernet adaptor and copied the setting that looked like they may have been relevant.
0
 
LVL 25

Expert Comment

by:Zephyr ICT
Comment Utility
Ah ok ... No problem ...

It's indeed not enabled, the "false" statement means that the feature is not enabled but available, so you can use this

Enable-NetAdapterIPsecOffload -Name *. 

Open in new window


To enable it ...

After that the warning should go away...
0
 

Author Comment

by:kbettencourt
Comment Utility
PS C:\Users\chris.KT> Enable-NetAdapterIPsecOffload -Name *.
PS C:\Users\chris.KT> Get-NetAdapterIPsecOffload

Name                           Enabled         SaOffloadCapacityEnabled
----                           -------         ------------------------
Ethernet                       False           0


PS C:\Users\chris.KT>

Appears to take the command but does not reflect the change.  Need to disable and re-enable it or cycle some service?

Ran another BPA scan but no change.

Am I not entering the command correctly?  Syntax correct?
0
 
LVL 25

Expert Comment

by:Zephyr ICT
Comment Utility
Hmmm...

Normally that should be enough, does it restart your network adapter when you perform the command?

Try this maybe:

Enable-NetAdapterIPsecOffload –Name Ethernet

Open in new window


Maybe it helps specifying the name ... Also, make sure you run the Powershell window with administrator rights (right-click run as administrator)... Just to be sure.

You can also add -Confirm behind the command ... Maybe it will give us more info
0
 

Author Comment

by:kbettencourt
Comment Utility
It did not restart the adapter.
I did try several variation including the name internet as you suggest.

unless you have any other ideas, I'll restart the VM tonight.

thanks for you help!
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 25

Expert Comment

by:Zephyr ICT
Comment Utility
Ok, just make sure you use an elevated prompt to perform the command ...

Besides trying it with some options like so:

Enable-NetAdapterIPsecOffload –Name Ethernet  -Confirm -IncludeHidden

Open in new window

'
We'll need to see if a reboot triggers something ...
0
 

Author Comment

by:kbettencourt
Comment Utility
Restarted the server and ran the BPA again with not change.
Given this error is on a VM, it makes little sense.  All of the drivers are virtual and it is reporting disabled.
0
 
LVL 25

Expert Comment

by:Zephyr ICT
Comment Utility
It's strange that performing the command doesn't do anything, it should at least restart the network card ...

I wish I could reproduce this, but I haven't got Hyper-V running at the moment, I've tried on other virtual Windows 2012 machines but their vnics don't support IPsecOffload.

You can check if IPsec offloading is enabled for the vm in Hyper-V under the network card --> Hardware Acceleration.

ipsec offload
Maybe it needs to be set there first ... If not already done...
0
 

Author Comment

by:kbettencourt
Comment Utility
Interesting, never noticed this option before.
IPsec task offloading enable is checked with max number of 512. must be default I am sure I did not change it.

Virtual machine queue is enabled
SR-IOV is not checked

Thanks again for your help.
0
 
LVL 25

Expert Comment

by:Zephyr ICT
Comment Utility
No problem ...

The only thing left I found is the following:

- The Hyper-V Host must have rss and tcp offload enabled on all the necessary physical nics
- The virtual nics must be synthetic nics, not the emulated kind.
- In Hyper-V manager and the virtual nics must have "Enable virtual network optimizations turned on"

After all these checks and configs Rss and tcp offload will normally be automatically turned on in the guest vm now...
0
 

Author Comment

by:kbettencourt
Comment Utility
The only thing I am not sure of is whether the NIC is synthetic or emulated.
I created Gen1 VMs, so I think that means they are emulated.  
Just tried to add another nic on an offline VM and it is not giving me any options other than legacy and software. So I assume systhetic is not available in a gen1 VM.
0
 
LVL 25

Accepted Solution

by:
Zephyr ICT earned 500 total points
Comment Utility
It should be available on gen1 VM's though ... They can have Synthetic network adapters but requires drivers (Hyper-V integration components/services), they do not offer PXE though, so if you need that ...
0
 

Author Closing Comment

by:kbettencourt
Comment Utility
The non-legacy adaptor is the one that requires integration components/services.
So this VM is using the non-legacy adaptor.
Will close the issue for now.  If you have come across any other ideas, please let me know.
Thanks again for your help!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
#Citrix #XenApp #Citrix Scout #Citrix Insight Services #Microsoft VMMAP #Microsoft ADEXPLORE #Microsoft RAMMAP #Microsoft TCPVIEW #Microsoft AUTORUNS #Microsoft PROCESS EXPLORER #Microsoft PROCESS MONITOR
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
In this video tutorial I show you the main steps to install and configure  a VMware ESXi6.0 server. The video has my comments as text on the screen and you can pause anytime when needed. Hope this will be helpful. Verify that your hardware and BIO…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now