Page MenuHomeVyOS Platform
Create Task
Maniphest T2776

QAT acceleration not working for IPSec AES-128 (CBC) / SHA256 tunnel
Closed, InvalidPublicBUG
Actions

Description

Despite enabling system acceleration qat in the configuration, the Quick Assist co-processor is not in use in a site to site IPSec tunnel—only the CPU is used (with AES-NI).

show system acceleration qat flows are empty. QAT device starts correctly.

Tested on Atom C3758

Details

Difficulty level
Unknown (require assessment)
Version
1.3
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

ajgnet created this task.Aug 10 2020, 1:55 AM
pasik added a subscriber: pasik.Aug 10 2020, 7:53 AM
Unknown Object (User) added a subscriber: Unknown Object (User).Feb 8 2021, 10:39 AM

@ajgnet which exactly version used in this case?

dmbaturin added a project: test.Jul 29 2021, 12:53 PM
dmbaturin assigned this task to Unknown Object (User).Jul 29 2021, 3:02 PM
Unknown Object (User) added a comment.Aug 9 2021, 11:16 AM

Tested on 1.3-rc5, all works properly

set vpn ipsec esp-group ESP_DEFAULT compression 'disable'
set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes128'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no'
set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
set vpn ipsec ike-group IKEv2_DEFAULT mobike 'disable'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes128'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'

Flow served QAT

vyos@R2-QAT#  run show system acceleration qat device qat_dev0 flows 
+------------------------------------------------+
| FW Statistics for Qat Device                   |
+------------------------------------------------+
| Firmware Requests [AE  0]:               60046 |
| Firmware Responses[AE  0]:               60046 |
+------------------------------------------------+
| Firmware Requests [AE  1]:              112720 |
| Firmware Responses[AE  1]:              112720 |
+------------------------------------------------+
| Firmware Requests [AE  2]:              219657 |
| Firmware Responses[AE  2]:              219657 |
+------------------------------------------------+
| Firmware Requests [AE  3]:               60046 |
| Firmware Responses[AE  3]:               60046 |
+------------------------------------------------+
| Firmware Requests [AE  4]:              112722 |
| Firmware Responses[AE  4]:              112722 |
+------------------------------------------------+
| Firmware Requests [AE  5]:              219657 |
| Firmware Responses[AE  5]:              219657 |
+------------------------------------------------+

Interrupts

vyos@R2-QAT# run show system acceleration qat interrupts 
140:      44039          0          0          0          0          0          0          0  IR-PCI-MSI 524288-edge      qat0-bundle0
141:          0      42358          0          0          0          0          0          0  IR-PCI-MSI 524289-edge      qat0-bundle1
142:          0          0          0          0          0          0          0          0  IR-PCI-MSI 524290-edge      qat0-bundle2
143:          0          0          0          0          0          0          0          0  IR-PCI-MSI 524291-edge      qat0-bundle3
144:          0          0          0          0          0          0          0          0  IR-PCI-MSI 524292-edge      qat0-bundle4
145:          0          0          0          0          0          0          0          0  IR-PCI-MSI 524293-edge      qat0-bundle5
146:          0          0          0          0          0          0          0          0  IR-PCI-MSI 524294-edge      qat0-bundle6
147:          0          0          0          0          0          0          0          0  IR-PCI-MSI 524295-edge      qat0-bundle7
148:          0          0          0          0          0          0          0          0  IR-PCI-MSI 524296-edge      qat0-bundle8
149:          0          0          0          0          0          0          0          0  IR-PCI-MSI 524297-edge      qat0-bundle9
150:          0          0          0          0          0          0          0          0  IR-PCI-MSI 524298-edge      qat0-bundle10
151:          0          0          0          0          0          0          0          0  IR-PCI-MSI 524299-edge      qat0-bundle11
152:          0          0          0          0          0          0          0          0  IR-PCI-MSI 524300-edge      qat0-bundle12
153:          0          0          0          0          0          0          0          0  IR-PCI-MSI 524301-edge      qat0-bundle13
154:          0          0          0          0          0          0          0          0  IR-PCI-MSI 524302-edge      qat0-bundle14
155:          0          0          0          0          0          0          0          0  IR-PCI-MSI 524303-edge      qat0-bundle15
156:          0          0          0          0          0          0          0          0  IR-PCI-MSI 524304-edge      qat0-ae-cluster
Unknown Object (User) closed this task as Invalid.Aug 9 2021, 11:17 AM
erkin set Issue type to Bug (incorrect behavior).Aug 29 2021, 1:31 PM
erkin removed a subscriber: Active contributors.
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0-epa1); removed test, VyOS 1.3 Equuleus.Sep 5 2021, 7:06 AM
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0-epa1) board.Sep 5 2021, 4:08 PM