Project

General

Profile

Actions

Bug #13075

closed

Netgate 2100 IPsec S2S AES GCM and SafeXcel mbuf overload

Added by Dennis H over 2 years ago. Updated over 2 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
Cryptographic Modules
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Release Notes:
Default
Affected Plus Version:
22.01
Affected Architecture:
SG-2100

Description

Hello everyone,
i run into a mbuf overload after change the S2S Setting (Netgate 6100 – 2100) from AES256 to AES128-GCM.
If i start the NAS Backup and use GCM, the mbuf grows and grows and after some time it reaches the limit and the SG-2100 didn’t respons anymore.

Asynchronous Cryptography doesn’t matter and AES-CBC just works.

Both Netgates running 22.01, 6100 use Intel QAT, 2100 use SafeXcel for Hardware Crypto support.
Tunnel Setup:
P1: AES128-GCM,AES256, SHA256 DH19, Mobike an DPD
P2 ESP,AES256,AES128-GCM, SHA256 DH19

For me, looks like a Memory Leak in the Crypto Engiene or the NIC Queue of the SafeXcel Driver.
If i disable the Driver and run GCM in Software Mode, it works over days.
There could also be a connection with the remote station and the Intel QAT support, which may trigger the behavior.


Files

IPsec_S2S_mbuf_GCM_No_SafeXcel.png (72.8 KB) IPsec_S2S_mbuf_GCM_No_SafeXcel.png Dennis H, 04/19/2022 04:24 PM
IPsec_S2S_mbuf.png (86.2 KB) IPsec_S2S_mbuf.png Dennis H, 04/19/2022 04:31 PM

Related issues

Is duplicate of Bug #13074: AES-GCM with SafeXcel on Netgate 2100 causes MBUF overloadNew

Actions
Actions

Also available in: Atom PDF