Issue with kTLS hardware offload testing via OpenSSL using two hosts with two BlueField 2


I’ve been following the NVIDIA TLS Offload Guide (NVIDIA TLS Offload Guide - NVIDIA Docs) for kTLS hardware offload testing via OpenSSL.

Despite adhering closely to the instructions, I encountered an issue at the final step. When monitoring kTLS over kernel counters (using cat /proc/net/tls_stat), I noticed that TlsTxSw and TlsRxSw counters increase with each connection attempt, while TlsTxDevice and TlsRxDevice remain at zero. This suggests that the Tx and Rx connections are opened in software mode, not hardware-offload mode which I wish to be. This is puzzling since I’ve ensured the correct configuration of kTLS, OVS bridges, etc.

I use two hosts equipped with BlueFields, as suggested in the guide, but a potential concern is the difference in kernel versions between my two hosts. One supports only tls-hw-tx-offload (because its kernel version is lower), while the other supports both tls-hw-tx-offload and tls-hw-rx-offload. Could this discrepancy be causing the connections to default to software mode? Would matching the kernel versions on both machines to support both offloads be a solution?

Additionally, both BlueFields are set to embedded CPU function ownership (ECPF) mode, the default for BlueField DPU. Is this configuration appropriate?

If none of these factors are the cause, I would greatly appreciate any insights or suggestions on what else might be going wrong.

Thank you very much in advance for your time and help!

As a starting point, I would make sure that both hosts are aligned with the same kernel versions regardless.
& the kernel from both hosts configured to support TLS (TLS_DEVICE and MLX5_TLS to y).

The relevant kTLS counters are “TlsTxDevice& TlsRxDevice” & ethtool stats (rx_tls_decrypted & tx_tls_encrypted) for HW offload.

If indeed you followed the guide posted, additional analysis would be needed based on your deployment and testing method.

If you have a support contract with Nvidia, please open a support case and we will further assist you.
Enterprise Support

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.