Project

General

Profile

Actions

Bug #13074

open

AES-GCM with SafeXcel on Netgate 2100 causes MBUF overload

Added by Chris S almost 2 years ago. Updated almost 2 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Cryptographic Modules
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Release Notes:
Default
Affected Plus Version:
22.01
Affected Architecture:
SG-2100

Description

Running IPSec tunnels on a Netgate 2100 with AES-GCM and SafeXcel enabled seem to cause an MBUF overload requiring a reboot to re-establish the tunnel.

First spotted by NOCling in the forums. I was able to reproduce on my own 6100-2100 IPsec setup.

https://forum.netgate.com/topic/171469/netgate-2100-s2s-aes-gcm-and-safexcel-mbuf-overload


Related issues

Has duplicate Bug #13075: Netgate 2100 IPsec S2S AES GCM and SafeXcel mbuf overloadDuplicate

Actions
Actions #1

Updated by Chris S almost 2 years ago

Reverting to AES-CBC with SHA384 in P1 and P2 works perfectly, even with SafeXcel enabled. Only seems to apply to AES-GCM.

Actions #2

Updated by Jim Pingle almost 2 years ago

  • Has duplicate Bug #13075: Netgate 2100 IPsec S2S AES GCM and SafeXcel mbuf overload added
Actions #3

Updated by Marcos M almost 2 years ago

Note that the issue may not be specific to SafeXcel - e.g. it could happen with Intel QAT as well.

Actions #5

Updated by Chris S almost 2 years ago

Marcos Mendoza wrote in #note-3:

Note that the issue may not be specific to SafeXcel - e.g. it could happen with Intel QAT as well.

That is of course a possibility and not to be disregarded, but in this specific scenario the fault was definitively with the Netgate 2100 and not the Netgate 6100. The basis for this claim is that the 6100 has three other VPN tunnels all with AES-GCM working fine. These three tunnels are to a Netgate 1537, a SonicWall NSA2600 and a SonicWall TZ670. Furthermore, once the crash happened only a reboot of the Netgate 2100 solved the issue. The Netgate 6100 did not need to be rebooted, nor did rebooting it help.

There could of course theoretically be something with QAT in the 6100, but this particular error that we reported only seems to be regarding SafeXcel in the 2100.

Actions #6

Updated by Marcos M almost 2 years ago

I mean to say it's not a SafeXcel issue specifically. Thank you for confirming it's only on the 2100 (ARM) platform.

Actions #7

Updated by → luckman212 almost 2 years ago

I believe I have hit this as well, 2100 to 7100 GCM tunnel. Is there an upstream FreeBSD bugreport? I believe the factory defaults for the 2100 have SafeXcel disabled, is that correct?

Actions

Also available in: Atom PDF