vShield SSL-VPN Plus / AESNI crypto engine is down

Urania · ‎11-22-2013

Hi,

Building my SSL VPN plus gateway, working few times after a fresh install, and suddenly, stop working.

Not able to log anymore on it.

On the log (Settings & Reports/System Events) :

Severity: Major

Code: 30154

Event message: AESNI crypto engine is down

Seems only to be the case when using as server settings: AES256-SHA, AES256-SHA or RC4-MD5 (I have tested all of the
To get back my connection, I need to force-sync the edge vm.

From the logs of my vSM, I can see that my "AESNI engine is down".

From the vSM 5.5 manual (page 30), I can see that we can enable/disable this AESNI engine, but I didn't find it yet where ????

Any help will be VERY appreciated

Today, I am able to connect, through my SSL-VPN gateway one time, after, I have to re-sync the edge vm.

Thx

Urania · ‎11-24-2013

Nobody ?

paquay_eric · ‎11-25-2013

$ openssl engine

$ set OPENSSL_ia32cap=~0x200000200000000

$ export OPENSSL_ia32cap

You do have to be careful though if you’re running dissimilar processors in a cluster, as one of the tricks you need to do to get vmotion comparability is turning off certain features in the processors, so that all the processors in the cluster have the same set of features.

Urania · ‎11-25-2013

Do you mean EVC = on ?

Concerning OpenSSL, do i have to apply this on my vshield manager 's vm ?

Or on my two ESXi servers ?

Anyway, thx for your support.

Urania · ‎11-25-2013

Dear sir,

I have done it, but still seems not to work.

Still have exactly the same problem.

I am able to be connected to my gateway one time, after not anymore possible except if I am re-sync my edge.

Not able to have a full shell on my vSM, so not able to play with openssl.

See my attachment file.

Thx

ps: what does mean vm-126 ?

Urania · ‎11-26-2013

Nobody can help ?

Thx

pamribeiro · ‎02-04-2014

Assuming the CPU you are using supports AES-NI (see if the command "grep -F aes /proc/cpuinfo" returns something) and the VM have the flag exposed by the hypervisor, I'll suggest forcing the cipher suites available to SSL to only include the 128bit variants as my recent tests with openssl 1.0.1f lead me to conclude the optimizations aren't used (or effective) in the 256bit variants of the cipher.

Benchmarks using "openssl bench"

CPU WITHOUT AES-NI aes-128-cbc	96844.27k 105854.23k 107898.73k 110023.34k 108422.89k
CPU WITH AES-NI aes-128-cbc	583303.96k 637274.58k 654004.39k 656633.03k 660155.05k
CPU WITHOUT AES-NI aes-256 cbc	51003.84k 54899.07k 56149.85k 119766.50k 121531.05k
CPU WITH AES-NI aes-256 cbc	53967.15k 56941.35k 57686.36k 120316.26k 121416.36k

Urania · ‎04-24-2014

My CPUs don't support AES-NI ...

I am still looking on "how to desactivate" this option ... If I believe the vSM 5.5 manual P30.

Thx

All

vShield SSL-VPN Plus / AESNI crypto engine is down