Hi,
Building my SSL VPN plus gateway, working few times after a fresh install, and suddenly, stop working.
Not able to log anymore on it.
On the log (Settings & Reports/System Events) :
Severity: Major
Code: 30154
Event message: AESNI crypto engine is down
Seems only to be the case when using as server settings: AES256-SHA, AES256-SHA or RC4-MD5 (I have tested all of the
To get back my connection, I need to force-sync the edge vm.
From the logs of my vSM, I can see that my "AESNI engine is down".
From the vSM 5.5 manual (page 30), I can see that we can enable/disable this AESNI engine, but I didn't find it yet where ????
Any help will be VERY appreciated
Today, I am able to connect, through my SSL-VPN gateway one time, after, I have to re-sync the edge vm.
Thx
Nobody ?
$ openssl engine
$ set OPENSSL_ia32cap=~0x200000200000000
$ export OPENSSL_ia32cap
You do have to be careful though if you’re running dissimilar processors in a cluster, as one of the tricks you need to do to get vmotion comparability is turning off certain features in the processors, so that all the processors in the cluster have the same set of features.
Do you mean EVC = on ?
Concerning OpenSSL, do i have to apply this on my vshield manager 's vm ?
Or on my two ESXi servers ?
Anyway, thx for your support.
Dear sir,
I have done it, but still seems not to work.
Still have exactly the same problem.
I am able to be connected to my gateway one time, after not anymore possible except if I am re-sync my edge.
Not able to have a full shell on my vSM, so not able to play with openssl.
See my attachment file.
Thx
ps: what does mean vm-126 ?
Nobody can help ?
Thx
Assuming the CPU you are using supports AES-NI (see if the command "grep -F aes /proc/cpuinfo" returns something) and the VM have the flag exposed by the hypervisor, I'll suggest forcing the cipher suites available to SSL to only include the 128bit variants as my recent tests with openssl 1.0.1f lead me to conclude the optimizations aren't used (or effective) in the 256bit variants of the cipher.
Benchmarks using "openssl bench"
CPU WITHOUT AES-NI aes-128-cbc | 96844.27k 105854.23k 107898.73k 110023.34k 108422.89k |
CPU WITH AES-NI aes-128-cbc | 583303.96k 637274.58k 654004.39k 656633.03k 660155.05k |
CPU WITHOUT AES-NI aes-256 cbc | 51003.84k 54899.07k 56149.85k 119766.50k 121531.05k |
CPU WITH AES-NI aes-256 cbc | 53967.15k 56941.35k 57686.36k 120316.26k 121416.36k |
My CPUs don't support AES-NI ...
I am still looking on "how to desactivate" this option ... If I believe the vSM 5.5 manual P30.
Thx