Page MenuHomeVyOS Platform

Intel QAT acceleration does not work
Closed, ResolvedPublicBUG

Description

Intel QAT support present but IPSec traffic don't accelerate

vyos@R2-QAT# run show system acceleration qat 
01:00.0 Co-processor [0b40]: Intel Corporation Atom Processor C3000 Series QuickAssist Technology [8086:19e2] (rev 11)

vyos@R2-QAT# run show system acceleration qat device qat_dev0 flows 
+------------------------------------------------+
| FW Statistics for Qat Device                   |
+------------------------------------------------+
| Firmware Requests [AE  0]:                   0 |
| Firmware Responses[AE  0]:                   0 |
+------------------------------------------------+
| Firmware Requests [AE  1]:                   0 |
| Firmware Responses[AE  1]:                   0 |
+------------------------------------------------+
| Firmware Requests [AE  2]:                   0 |
| Firmware Responses[AE  2]:                   0 |
+------------------------------------------------+
| Firmware Requests [AE  3]:                   0 |
| Firmware Responses[AE  3]:                   0 |
+------------------------------------------------+
| Firmware Requests [AE  4]:                   0 |
| Firmware Responses[AE  4]:                   0 |
+------------------------------------------------+
| Firmware Requests [AE  5]:                   0 |
| Firmware Responses[AE  5]:                   0 |
+------------------------------------------------+

IPSec config example

set vpn ipsec esp-group ESP compression 'disable'
set vpn ipsec esp-group ESP lifetime '1800'
set vpn ipsec esp-group ESP mode 'tunnel'
set vpn ipsec esp-group ESP pfs 'enable'
set vpn ipsec esp-group ESP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE ikev2-reauth 'no'
set vpn ipsec ike-group IKE key-exchange 'ikev1'
set vpn ipsec ike-group IKE lifetime '3600'
set vpn ipsec ike-group IKE proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec site-to-site peer 10.217.10.107 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 10.217.10.107 authentication pre-shared-secret 'SomePreSharedKey'
set vpn ipsec site-to-site peer 10.217.10.107 ike-group 'IKE'
set vpn ipsec site-to-site peer 10.217.10.107 local-address '10.217.10.66'
set vpn ipsec site-to-site peer 10.217.10.107 tunnel 0 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 10.217.10.107 tunnel 0 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 10.217.10.107 tunnel 0 esp-group 'ESP'
set vpn ipsec site-to-site peer 10.217.10.107 tunnel 0 local prefix '172.16.0.0/24'
set vpn ipsec site-to-site peer 10.217.10.107 tunnel 0 remote prefix '172.16.255.0/24'

Version 1.2.5 works as expected

vyos@vyos# run show system acceleration qat device qat_dev0 flows 
+------------------------------------------------+
| FW Statistics for Qat Device                   |
+------------------------------------------------+
| Firmware Requests [AE  0]:              128805 |
| Firmware Responses[AE  0]:              128805 |
+------------------------------------------------+
| Firmware Requests [AE  1]:              128798 |
| Firmware Responses[AE  1]:              128798 |
+------------------------------------------------+
| Firmware Requests [AE  2]:              128807 |
| Firmware Responses[AE  2]:              128807 |
+------------------------------------------------+
| Firmware Requests [AE  3]:              128804 |
| Firmware Responses[AE  3]:              128804 |
+------------------------------------------------+
| Firmware Requests [AE  4]:              128799 |
| Firmware Responses[AE  4]:              128799 |
+------------------------------------------------+
| Firmware Requests [AE  5]:              128805 |
| Firmware Responses[AE  5]:              128805 |
+------------------------------------------------+
| Firmware Requests [AE  6]:              128797 |
| Firmware Responses[AE  6]:              128797 |
+------------------------------------------------+
| Firmware Requests [AE  7]:              128803 |
| Firmware Responses[AE  7]:              128803 |
+------------------------------------------------+

Details

Difficulty level
Unknown (require assessment)
Version
1.3-rolling-202009011736
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

Dmitry assigned this task to c-po.Sep 2 2020, 4:54 PM
Dmitry created this task.
pasik added a subscriber: pasik.Sep 3 2020, 7:56 PM
dmbaturin renamed this task from Intel QAT acceleration does not works to Intel QAT acceleration does not work.Sep 5 2020, 11:58 AM
Dmitry added a comment.Sep 6 2020, 3:25 PM

@c-po I build qat manually but add --enable-qat-lkcf to https://github.com/vyos/vyos-build/blob/crux/packages/linux-kernel/build-intel-qat.sh#L55 and it seems it works

vyos@R2-QAT:~$ show system acceleration qat device qat_dev0 flows 
+------------------------------------------------+
| FW Statistics for Qat Device                   |
+------------------------------------------------+
| Firmware Requests [AE  0]:              147225 |
| Firmware Responses[AE  0]:              147225 |
+------------------------------------------------+
| Firmware Requests [AE  1]:              113758 |
| Firmware Responses[AE  1]:              113758 |
+------------------------------------------------+
| Firmware Requests [AE  2]:              144886 |
| Firmware Responses[AE  2]:              144886 |
+------------------------------------------------+
| Firmware Requests [AE  3]:              147221 |
| Firmware Responses[AE  3]:              147221 |
+------------------------------------------------+
| Firmware Requests [AE  4]:              113774 |
| Firmware Responses[AE  4]:              113774 |
+------------------------------------------------+
| Firmware Requests [AE  5]:              144891 |
| Firmware Responses[AE  5]:              144891 |
+------------------------------------------------+
Dmitry added a comment.Sep 6 2020, 3:28 PM

From official docs

Dmitry added a comment.Sep 7 2020, 6:47 AM

Intel QAT works for CRUX brunch. As for rolling with the newest kernel 5.8.5, it seems some issues on the modules building stage.

syncer closed this task as Resolved.Sep 7 2020, 5:23 PM
syncer triaged this task as Normal priority.
syncer moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.6) board.
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.6); removed VyOS 1.3 Equuleus.