AES-GCM with SafeXcel on Netgate 2100 causes MBUF overload
Running IPSec tunnels on a Netgate 2100 with AES-GCM and SafeXcel enabled seem to cause an MBUF overload requiring a reboot to re-establish the tunnel.
First spotted by NOCling in the forums. I was able to reproduce on my own 6100-2100 IPsec setup.
Updated by Jim Pingle 11 months ago
- Has duplicate Bug #13075: Netgate 2100 IPsec S2S AES GCM and SafeXcel mbuf overload added
Updated by Chris S 10 months ago
Marcos Mendoza wrote in #note-3:
Note that the issue may not be specific to SafeXcel - e.g. it could happen with Intel QAT as well.
That is of course a possibility and not to be disregarded, but in this specific scenario the fault was definitively with the Netgate 2100 and not the Netgate 6100. The basis for this claim is that the 6100 has three other VPN tunnels all with AES-GCM working fine. These three tunnels are to a Netgate 1537, a SonicWall NSA2600 and a SonicWall TZ670. Furthermore, once the crash happened only a reboot of the Netgate 2100 solved the issue. The Netgate 6100 did not need to be rebooted, nor did rebooting it help.
There could of course theoretically be something with QAT in the 6100, but this particular error that we reported only seems to be regarding SafeXcel in the 2100.
Updated by → luckman212 10 months ago
I believe I have hit this as well, 2100 to 7100 GCM tunnel. Is there an upstream FreeBSD bugreport? I believe the factory defaults for the 2100 have SafeXcel disabled, is that correct?