Leave the chimney for Santa Claus, not for FAST Search Server 2010
Recently, the FAST Search Escalation Team has begun to see customers encountering a higher-than-expected rate of post-installation configuration/deployment failures due to IPSEC problems. As a follow-up to my previous post (see "We need to talk"), I wanted to call out a very subtle but important point noted in https://support.microsoft.com/kb/951037, "Information about the TCP Chimney Offload, Receive Side Scaling, and Network Direct Memory Access features in Windows Server 2008."
As noted in the article, IPSEC is not compatible with TCP/IP offloading, therefore, we strongly recommend FAST Search Server 2010 customers disable all TCP/IP offloading functionality, both in the Registry (where the TCP/IP parameters are stored), as well as on the properties of the Network Adapter itself.
From KB 951037:
How TCP Chimney Offload coexists with other programs and services
When the TCP Chimney Offload technology offloads TCP/IP processing for a given TCP connection to a dedicated network adapter, it must coexist with other programs or services that rely on lower layer services in the networking subsystem. The following table shows how TCP Chimney Offload coexists with other programs and services.
Program or service |
Works together with TCP Chimney Offload |
Expected behavior when both the service and TCP Chimney Offload are enabled |
Windows Firewall |
Yes |
If the firewall is configured to allow for a given TCP connection, the TCP/IP stack will offload that TCP connection to the network adapter. |
Third-party firewall |
Implementation-specific |
Some firewall vendors have decided to implement their product in such a way that TCP Chimney Offload can be used while the firewall service is running. Refer to the firewall documentation to find out whether the product you are using supports TCP Chimney Offload. |
Internet Protocol security (IPsec) policy |
No |
If the system has an IPsec policy applied, the TCP/IP stack will not try to offload any TCP connections. This lets the IPsec layer inspect every packet to provide the desired security. |
Network Adapter teaming service (This service is also known as the Load Balancing and Failover service. It is usually provided by an OEM.) |
Implementation-specific |
Some OEMs have decided to implement their network adapter teaming solutions so that they coexist with TCP Chimney Offload. See the network adapter teaming service documentation to determine whether you can use TCP Chimney offload together with this service. |
Windows Virtualization (Hyper-V technology) |
No |
If you are using the Microsoft Hyper-V technology to run virtual machines, no operating system will take advantage of TCP Chimney offload. |
Network monitoring tools, such as Network Monitor and Wireshark |
Implementation-specific |
Some network monitoring tools may coexist with TCP Chimney but may not monitor offloaded connections. |
Network Load Balancing (NLB) service |
No |
If you configure the NLB service on a server, the TCP/IP stack does not offload TCP connections. |
Cluster service |
Yes |
However, note that TCP connections using the Network Fault Tolerant driver (NetFT.sys) will not be offloaded. NetFT is used for fault-tolerant inter-node cluster communication. |
Network Address Translation (NAT) service (also known as the Internet Connection Sharing service) |
No |
If this service is installed and running, the TCP/IP stack does not offload connections. |