-
- Enthusiast
- Posts: 51
- Liked: 10 times
- Joined: May 18, 2021 1:55 pm
- Location: Slovakia
- Contact:
HPE iLO Virtual NIC causes forced encryption on LAN
While testing R&D on our servers, I have noticed that all backup jobs, be it physical or virtual, are being forced into encrypted network traffic mode. The cause was that the server with B&R contains the HPE iLO management module, which by default enables the Virtual NIC function which exposes a "Generic USB-EEM Network Adapter" for in-band communication, assigning IP "16.1.15.2" to the host. Since this is a network interface with a public-looking IP, this trips B&R's 'for your safety' logic, even though the interface is not going to be used to transmit backup data. I could not override this behavior by adding custom network rules. HPE servers selected for backup probably also get flagged as having a public IP and suffer the same issue.
I did not want to complicate things by using the KB2055 DisablePublicIPTrafficEncryption registry setting, so instead I switched off all the (unused) virtual NICs. In the process, I noticed that an IBM server, which has the same kind of virtual NIC functionality enabled, does not exhibit this issue. It uses 169.254.x.x addresses. That is not a RFC1918 private address, yet still seems to work. So I am guessing there is some sort of more complex exclusion list. In that case, I would like to suggest adding this 'HP reserved' IP address to it. Or alternatively, provide a way of suppressing that public IP detection behavior for specific IPs via network rules.
I originally reported this as Case #05236119, however due to 'high Support Team load' it was timed out and closed without anyone reading it. Maybe as a forum post it can at least be of use to someone.
I did not want to complicate things by using the KB2055 DisablePublicIPTrafficEncryption registry setting, so instead I switched off all the (unused) virtual NICs. In the process, I noticed that an IBM server, which has the same kind of virtual NIC functionality enabled, does not exhibit this issue. It uses 169.254.x.x addresses. That is not a RFC1918 private address, yet still seems to work. So I am guessing there is some sort of more complex exclusion list. In that case, I would like to suggest adding this 'HP reserved' IP address to it. Or alternatively, provide a way of suppressing that public IP detection behavior for specific IPs via network rules.
I originally reported this as Case #05236119, however due to 'high Support Team load' it was timed out and closed without anyone reading it. Maybe as a forum post it can at least be of use to someone.
-
- Veeam Software
- Posts: 3626
- Liked: 608 times
- Joined: Aug 28, 2013 8:23 am
- Full Name: Petr Makarov
- Location: Prague, Czech Republic
- Contact:
-
- VP, Product Management
- Posts: 7081
- Liked: 1511 times
- Joined: May 04, 2011 8:36 am
- Full Name: Andreas Neufert
- Location: Germany
- Contact:
Re: HPE iLO Virtual NIC causes forced encryption on LAN
No sure if you can disable the automatic mode for this with the traffic rules.
At lease in older versions there was this reg key to disable this. I remember that we had some customers that used public IPs internally for processing.
B&R Server
HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication\
DisablePublicIPTrafficEncryption
Type: REG_DWORD
Default value: 0
Description: By default, traffic between different subnets and on public addresses is encrypted. To globally disable network encryption between agents, set to 1
Restart of Veeam Backup service needed (or server reboot).
At lease in older versions there was this reg key to disable this. I remember that we had some customers that used public IPs internally for processing.
B&R Server
HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication\
DisablePublicIPTrafficEncryption
Type: REG_DWORD
Default value: 0
Description: By default, traffic between different subnets and on public addresses is encrypted. To globally disable network encryption between agents, set to 1
Restart of Veeam Backup service needed (or server reboot).
-
- Enthusiast
- Posts: 51
- Liked: 10 times
- Joined: May 18, 2021 1:55 pm
- Location: Slovakia
- Contact:
Re: HPE iLO Virtual NIC causes forced encryption on LAN
@PetrM I have tried but it does not seem possible to add an exception for this. When I try to do so, a note appears saying that "for your safety", anything with a public ip will be encrypted anyway.
@Andreas Neufert if you check my post, 'DisablePublicIPTrafficEncryption' already appears in there. I'm already aware of it. But it disables this safeguard for all jobs on all subnets. I think the same can be achieved by unchecking the Encrypt checkbox on the default internet traffic rule. I do not believe Veaam wants safeguards casually disabled like that, and think that the registry setting is meant for special edge cases only.
@Andreas Neufert if you check my post, 'DisablePublicIPTrafficEncryption' already appears in there. I'm already aware of it. But it disables this safeguard for all jobs on all subnets. I think the same can be achieved by unchecking the Encrypt checkbox on the default internet traffic rule. I do not believe Veaam wants safeguards casually disabled like that, and think that the registry setting is meant for special edge cases only.
-
- VP, Product Management
- Posts: 7081
- Liked: 1511 times
- Joined: May 04, 2011 8:36 am
- Full Name: Andreas Neufert
- Location: Germany
- Contact:
Re: HPE iLO Virtual NIC causes forced encryption on LAN
Looks like 16.1.15.1 and 16.1.15.2 are reserved IP addresses for this communication. Let me reach out to HPE to see if this is a customer configurable value.
-
- Veeam Software
- Posts: 688
- Liked: 150 times
- Joined: Jan 22, 2015 2:39 pm
- Full Name: Stefan Renner
- Location: Germany
- Contact:
Re: HPE iLO Virtual NIC causes forced encryption on LAN
Hi,
can I ask if you really need this adapter in your server or if it would be an option to disable it in the ILO settings and use the regular network to access ILO?
Just want to understand why it is even needed. I see a need in case ILO is not connected to regular Network but other than that it is anyway something I would disable for security reason.
Login to ILO (as Administrator) > Security > Access Settings > Click on Edit Option Next to ILO > Unselct the option "Virtual Nic" and apply.
It can also be automated:
https://hewlettpackard.github.io/ilo-re ... irtual-nic
Thanks
Stefan
Stefan Renner
Veeam PMA
Veeam PMA
-
- Veeam Software
- Posts: 41
- Liked: 21 times
- Joined: May 10, 2018 2:30 pm
- Full Name: Christopher Donohoe
- Contact:
Re: HPE iLO Virtual NIC causes forced encryption on LAN
@rennerstefan
A feature request should be added to exclude 16.1.15.2 from our auto traffic encryption.
The Virtual NIC setting was enabled by default on iLO 5 v2.10 or later. It can indeed be disabled as you suggested. Currently, this is the only solution to the "for your safety" issue when traffic encryption is not desired.
This IP is not configurable, and any attempts to change the Virtual NIC IP will make the Virtual NIC inaccessible.
A feature request should be added to exclude 16.1.15.2 from our auto traffic encryption.
The Virtual NIC setting was enabled by default on iLO 5 v2.10 or later. It can indeed be disabled as you suggested. Currently, this is the only solution to the "for your safety" issue when traffic encryption is not desired.
This IP is not configurable, and any attempts to change the Virtual NIC IP will make the Virtual NIC inaccessible.
-
- Veeam Software
- Posts: 688
- Liked: 150 times
- Joined: Jan 22, 2015 2:39 pm
- Full Name: Stefan Renner
- Location: Germany
- Contact:
Re: HPE iLO Virtual NIC causes forced encryption on LAN
thanks for confirming, I will take that to the team and see how we can address it.
Stefan Renner
Veeam PMA
Veeam PMA
Who is online
Users browsing this forum: Bing [Bot], Google [Bot], Majestic-12 [Bot], michael.westphal and 45 guests