Skip to main content
NetApp Knowledge Base

Search

  • Filter results by:
    • View attachments
    Searching in
    About 8 results
    • Certain NFS operations fail with IPsec enabled
      https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/Certain_NFS_operations_fail_with_IPsec_enabled
      Applies to ONTAP 9 IPsec Issue Certain NFS operations fail when IPsec connections are active (i.e., Mount, Write, LS) IPsec and IKE security associations are active Packet traces show jumbo frames bei...Applies to ONTAP 9 IPsec Issue Certain NFS operations fail when IPsec connections are active (i.e., Mount, Write, LS) IPsec and IKE security associations are active Packet traces show jumbo frames being sent from client but not being received on ONTAP side
    • What is IPSec?
      https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/what_is_ipsec
      Introduced in ONTAP 9.8, Internet Protocol security (IPsec) provides data authentication, integrity, and over the wire encryption between two endpoints over an IP network. You can configure ONTAP clus...Introduced in ONTAP 9.8, Internet Protocol security (IPsec) provides data authentication, integrity, and over the wire encryption between two endpoints over an IP network. You can configure ONTAP clusters and storage virtual machines (SVMs) to use IPsec when transferring data across a wire. ONTAP features such as NFS, CIFS/SMB, and iSCSI can take advantage of this capability to transfer data-in-flight in an encrypted state. KB article How to enable IPsec. Configure IP Sec over wire encryption
    • How to configure multiple clients for IPsec for ONTAP 9.8 and higher
      https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/How_to_configure_multiple_clients_for_IPsec_for_ONTAP_9.8_and_higher
      Applies to ONTAP 9.8 and higher IPsec Description When a small number of clients need to leverage IPsec, using a single Security Policy Database (SPD) entry for each client is sufficient. However, whe...Applies to ONTAP 9.8 and higher IPsec Description When a small number of clients need to leverage IPsec, using a single Security Policy Database (SPD) entry for each client is sufficient. However, when hundreds or even thousands of clients need to leverage IPsec, NetApp recommends using an IPsec multiple client configuration. ONTAP supports connecting multiple clients across many networks to a single SVM IP address with IPsec enabled.
    • IPSEC client get hung when PFS on
      https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/IPSEC_client_get_hung_when_PFS_on
      Libreswan IPSEC connection gets hung when PFS is on Mar 30 21:19:54.384 08[IKE] failed to establish CHILD_SA, keeping IKE_SA Mar 30 21:19:56.784 08[IKE] failed to establish CHILD_SA, keeping IKE_SA Ma...Libreswan IPSEC connection gets hung when PFS is on Mar 30 21:19:54.384 08[IKE] failed to establish CHILD_SA, keeping IKE_SA Mar 30 21:19:56.784 08[IKE] failed to establish CHILD_SA, keeping IKE_SA Mar 30 21:19:56.784 08[IKE] CHILD_SA rekeying failed, trying again in 9 seconds Mar 30 21:20:05.788 05[IKE] failed to establish CHILD_SA, keeping IKE_SA Mar 30 21:20:05.788 05[IKE] CHILD_SA rekeying failed, trying again in 13 seconds
    • UDP connections are single threaded
      https://kb.netapp.com/on-prem/ontap/Perf/Perf-KBs/UDP_connections_are_single_threaded
      Applies to ONTAP 9 NFS Server not responding Cloud Volumes ONTAP on MS Azure UDP encapsulation of IPSEC Issue UDP is processed in the single threaded "Network Legacy" Domain If this single thread beco...Applies to ONTAP 9 NFS Server not responding Cloud Volumes ONTAP on MS Azure UDP encapsulation of IPSEC Issue UDP is processed in the single threaded "Network Legacy" Domain If this single thread becomes highly utilized it can lead to increased client latency
    • How to collect unencrypted packet traces over IPSEC in Linux
      https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/How_to_collect_unencrypted_packet_traces_over_IPSEC_in_Linux
      Applies to ONTAP 9 IPSec Description Normally, a packet trace over default interfaces will not provide much benefit when traffic is encrypted with ipsec. Consider setting up collection on decrypted in...Applies to ONTAP 9 IPSec Description Normally, a packet trace over default interfaces will not provide much benefit when traffic is encrypted with ipsec. Consider setting up collection on decrypted interfaces.
    • Inter-site IPsec tunnel collapses when ONTAP flexcache traffic is traversing it
      https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/Inter-site_IPsec_tunnel_collapses_when_ONTAP_flexcache_traffic_is_traversing_it
      When deploying an IPSec tunnel between sites, a Flexcache configuration in ONTAP may contribute dramatically more TCP sessions, as well as packets per second than other services, causing higher impact...When deploying an IPSec tunnel between sites, a Flexcache configuration in ONTAP may contribute dramatically more TCP sessions, as well as packets per second than other services, causing higher impact to tunnel stability than other workloads This could result in packet loss or other performance degradation for the IPsec tunnel if the underlying infrastructure lacks the needed resources to accommodate all of that traffic
    • How to enable IPsec
      https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/How_to_enable_IPsec
      Applies to ONTAP 9.8 and higher IPsec Description How to enable IPSEC using a pre-shared key