Recently, the FAST Search Escalation Team has begun to see customers encountering a higher-than-expected rate of post-installation configuration/deployment failures due to IPSEC problems.  As a follow-up to my previous post (see "We need to talk"), I wanted to call out a very subtle but important point noted in http://support.microsoft.com/kb/951037, "Information about the TCP Chimney Offload, Receive Side Scaling, and Network Direct Memory Access features in Windows Server 2008."

As noted in the article, IPSEC is not compatible with TCP/IP offloading, therefore, we strongly recommend FAST Search Server 2010 customers disable all TCP/IP offloading functionality, both in the Registry (where the TCP/IP parameters are stored), as well as on the properties of the Network Adapter itself.


From KB 951037:

How TCP Chimney Offload coexists with other programs and services

When the TCP Chimney Offload technology offloads TCP/IP processing for a given TCP connection to a dedicated network adapter, it must coexist with other programs or services that rely on lower layer services in the networking subsystem. The following table shows how TCP Chimney Offload coexists with other programs and services.

Program or service

Works together with TCP Chimney Offload

Expected behavior when both the service and TCP Chimney Offload are enabled

Windows Firewall

Yes

If the firewall is configured to allow for a given TCP connection, the TCP/IP stack will offload that TCP connection to the network adapter.

Third-party firewall

Implementation-specific

Some firewall vendors have decided to implement their product in such a way that TCP Chimney Offload can be used while the firewall service is running. Refer to the firewall documentation to find out whether the product you are using supports TCP Chimney Offload.

Internet Protocol security (IPsec) policy

No

If the system has an IPsec policy applied, the TCP/IP stack will not try to offload any TCP connections. This lets the IPsec layer inspect every packet to provide the desired security.

Network Adapter teaming service (This service is also known as the Load Balancing and Failover service. It is usually provided by an OEM.)

Implementation-specific

Some OEMs have decided to implement their network adapter teaming solutions so that they coexist with TCP Chimney Offload. See the network adapter teaming service documentation to determine whether you can use TCP Chimney offload together with this service.

Windows Virtualization (Hyper-V technology)

No

If you are using the Microsoft Hyper-V technology to run virtual machines, no operating system will take advantage of TCP Chimney offload.

Network monitoring tools, such as Network Monitor and Wireshark

Implementation-specific

Some network monitoring tools may coexist with TCP Chimney but may not monitor offloaded connections.

Network Load Balancing (NLB) service

No

If you configure the NLB service on a server, the TCP/IP stack does not offload TCP connections.

Cluster service

Yes

However, note that TCP connections using the Network Fault Tolerant driver (NetFT.sys) will not be offloaded. NetFT is used for fault-tolerant inter-node cluster communication.

Network Address Translation (NAT) service (also known as the Internet Connection Sharing service)

No

If this service is installed and running, the TCP/IP stack does not offload connections.