?
Solved

Server 2012R2

Posted on 2014-04-23
16
Medium Priority
?
2,247 Views
Last Modified: 2014-04-28
Best Practices Analyzer on Server 2012 Server installed as VM on Server2012R2.
Warning Enable IPsec Task Offload v2(TOv2) on a network adaptor.

BPA says there are TOv2 capable adaptors.

Do not see this exact feature on the VM adaptor or the Physical machines adaptors.
The physical server BPA does not report the same warning.
There is an IPsecV2 offload on the physical machine and it is already enables.  I'm confident this is not a big concern, but hopefully someone know how to make BPA happy.
Thanks
0
Comment
Question by:kbettencourt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 8
16 Comments
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40017783
See if the Powershell command  "Get-NetAdapterIPsecOffload" gives you any feedback, if you get nothing in return it  means the feature is probably not available on any of your network adapters... We'll probably have to search deeper...

If it is available however, but it is not enabled, then you can normally just enable it with "Enable-NetAdapterIPsecOffload -Name *. "
0
 

Author Comment

by:kbettencourt
ID: 40017804
Get-NetAdapterIPsecOffload

Name                           Enabled         SaOffloadCapacityEnabled
----                           -------         ------------------------
Ethernet                       False           0

Looking "Ethernet"
IPSec Offload = Auth Header and ESP Enabled
Large Send Offload Version 2 is enabled for IPV4 and IPV6
Thanks
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40017828
So was it enabled, or you enabled it?

Is the warning gone in BPA?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:kbettencourt
ID: 40017851
sorry for not being clear.  Did not change anything, just looked at the advanced tab of the ethernet adaptor and copied the setting that looked like they may have been relevant.
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40017876
Ah ok ... No problem ...

It's indeed not enabled, the "false" statement means that the feature is not enabled but available, so you can use this

Enable-NetAdapterIPsecOffload -Name *. 

Open in new window


To enable it ...

After that the warning should go away...
0
 

Author Comment

by:kbettencourt
ID: 40017911
PS C:\Users\chris.KT> Enable-NetAdapterIPsecOffload -Name *.
PS C:\Users\chris.KT> Get-NetAdapterIPsecOffload

Name                           Enabled         SaOffloadCapacityEnabled
----                           -------         ------------------------
Ethernet                       False           0


PS C:\Users\chris.KT>

Appears to take the command but does not reflect the change.  Need to disable and re-enable it or cycle some service?

Ran another BPA scan but no change.

Am I not entering the command correctly?  Syntax correct?
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40017954
Hmmm...

Normally that should be enough, does it restart your network adapter when you perform the command?

Try this maybe:

Enable-NetAdapterIPsecOffload –Name Ethernet

Open in new window


Maybe it helps specifying the name ... Also, make sure you run the Powershell window with administrator rights (right-click run as administrator)... Just to be sure.

You can also add -Confirm behind the command ... Maybe it will give us more info
0
 

Author Comment

by:kbettencourt
ID: 40017965
It did not restart the adapter.
I did try several variation including the name internet as you suggest.

unless you have any other ideas, I'll restart the VM tonight.

thanks for you help!
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40017981
Ok, just make sure you use an elevated prompt to perform the command ...

Besides trying it with some options like so:

Enable-NetAdapterIPsecOffload –Name Ethernet  -Confirm -IncludeHidden

Open in new window

'
We'll need to see if a reboot triggers something ...
0
 

Author Comment

by:kbettencourt
ID: 40019650
Restarted the server and ran the BPA again with not change.
Given this error is on a VM, it makes little sense.  All of the drivers are virtual and it is reporting disabled.
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40019872
It's strange that performing the command doesn't do anything, it should at least restart the network card ...

I wish I could reproduce this, but I haven't got Hyper-V running at the moment, I've tried on other virtual Windows 2012 machines but their vnics don't support IPsecOffload.

You can check if IPsec offloading is enabled for the vm in Hyper-V under the network card --> Hardware Acceleration.

ipsec offload
Maybe it needs to be set there first ... If not already done...
0
 

Author Comment

by:kbettencourt
ID: 40020928
Interesting, never noticed this option before.
IPsec task offloading enable is checked with max number of 512. must be default I am sure I did not change it.

Virtual machine queue is enabled
SR-IOV is not checked

Thanks again for your help.
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40020962
No problem ...

The only thing left I found is the following:

- The Hyper-V Host must have rss and tcp offload enabled on all the necessary physical nics
- The virtual nics must be synthetic nics, not the emulated kind.
- In Hyper-V manager and the virtual nics must have "Enable virtual network optimizations turned on"

After all these checks and configs Rss and tcp offload will normally be automatically turned on in the guest vm now...
0
 

Author Comment

by:kbettencourt
ID: 40027688
The only thing I am not sure of is whether the NIC is synthetic or emulated.
I created Gen1 VMs, so I think that means they are emulated.  
Just tried to add another nic on an offline VM and it is not giving me any options other than legacy and software. So I assume systhetic is not available in a gen1 VM.
0
 
LVL 25

Accepted Solution

by:
Zephyr ICT earned 1500 total points
ID: 40027860
It should be available on gen1 VM's though ... They can have Synthetic network adapters but requires drivers (Hyper-V integration components/services), they do not offer PXE though, so if you need that ...
0
 

Author Closing Comment

by:kbettencourt
ID: 40027884
The non-legacy adaptor is the one that requires integration components/services.
So this VM is using the non-legacy adaptor.
Will close the issue for now.  If you have come across any other ideas, please let me know.
Thanks again for your help!
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

VM backup deduplication is a method of reducing the amount of storage space needed to save VM backups. In most organizations, VMs contain many duplicate copies of data, such as VMs deployed from the same template, VMs with the same OS, or VMs that h…
This is an issue that we can get adding / removing permissions in the vCSA 6.0. We can also have issues searching for users / groups in the AD (using your identify sources). This is how one of the ways to handle this issues and fix it.
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
In this video tutorial I show you the main steps to install and configure  a VMware ESXi6.0 server. The video has my comments as text on the screen and you can pause anytime when needed. Hope this will be helpful. Verify that your hardware and BIO…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question