Comprehensive data protection for all workloads
Post Reply
hpadm
Enthusiast
Posts: 51
Liked: 10 times
Joined: May 18, 2021 1:55 pm
Location: Slovakia
Contact:

HPE iLO Virtual NIC causes forced encryption on LAN

Post by hpadm »

While testing R&D on our servers, I have noticed that all backup jobs, be it physical or virtual, are being forced into encrypted network traffic mode. The cause was that the server with B&R contains the HPE iLO management module, which by default enables the Virtual NIC function which exposes a "Generic USB-EEM Network Adapter" for in-band communication, assigning IP "16.1.15.2" to the host. Since this is a network interface with a public-looking IP, this trips B&R's 'for your safety' logic, even though the interface is not going to be used to transmit backup data. I could not override this behavior by adding custom network rules. HPE servers selected for backup probably also get flagged as having a public IP and suffer the same issue.

I did not want to complicate things by using the KB2055 DisablePublicIPTrafficEncryption registry setting, so instead I switched off all the (unused) virtual NICs. In the process, I noticed that an IBM server, which has the same kind of virtual NIC functionality enabled, does not exhibit this issue. It uses 169.254.x.x addresses. That is not a RFC1918 private address, yet still seems to work. So I am guessing there is some sort of more complex exclusion list. In that case, I would like to suggest adding this 'HP reserved' IP address to it. Or alternatively, provide a way of suppressing that public IP detection behavior for specific IPs via network rules.

I originally reported this as Case #05236119, however due to 'high Support Team load' it was timed out and closed without anyone reading it. Maybe as a forum post it can at least be of use to someone.
PetrM
Veeam Software
Posts: 3626
Liked: 608 times
Joined: Aug 28, 2013 8:23 am
Full Name: Petr Makarov
Location: Prague, Czech Republic
Contact:

Re: HPE iLO Virtual NIC causes forced encryption on LAN

Post by PetrM »

Hello,

Did you try to disable traffic encryption in network traffic rules?

Thanks!
Andreas Neufert
VP, Product Management
Posts: 7081
Liked: 1511 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: HPE iLO Virtual NIC causes forced encryption on LAN

Post by Andreas Neufert »

No sure if you can disable the automatic mode for this with the traffic rules.
At lease in older versions there was this reg key to disable this. I remember that we had some customers that used public IPs internally for processing.

B&R Server
HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication\
DisablePublicIPTrafficEncryption
Type: REG_DWORD
Default value: 0
Description: By default, traffic between different subnets and on public addresses is encrypted. To globally disable network encryption between agents, set to 1

Restart of Veeam Backup service needed (or server reboot).
hpadm
Enthusiast
Posts: 51
Liked: 10 times
Joined: May 18, 2021 1:55 pm
Location: Slovakia
Contact:

Re: HPE iLO Virtual NIC causes forced encryption on LAN

Post by hpadm »

@PetrM I have tried but it does not seem possible to add an exception for this. When I try to do so, a note appears saying that "for your safety", anything with a public ip will be encrypted anyway.

@Andreas Neufert if you check my post, 'DisablePublicIPTrafficEncryption' already appears in there. I'm already aware of it. But it disables this safeguard for all jobs on all subnets. I think the same can be achieved by unchecking the Encrypt checkbox on the default internet traffic rule. I do not believe Veaam wants safeguards casually disabled like that, and think that the registry setting is meant for special edge cases only.
Andreas Neufert
VP, Product Management
Posts: 7081
Liked: 1511 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: HPE iLO Virtual NIC causes forced encryption on LAN

Post by Andreas Neufert »

Looks like 16.1.15.1 and 16.1.15.2 are reserved IP addresses for this communication. Let me reach out to HPE to see if this is a customer configurable value.
rennerstefan
Veeam Software
Posts: 688
Liked: 150 times
Joined: Jan 22, 2015 2:39 pm
Full Name: Stefan Renner
Location: Germany
Contact:

Re: HPE iLO Virtual NIC causes forced encryption on LAN

Post by rennerstefan »

hpadm wrote: Jan 25, 2022 2:15 pm The cause was that the server with B&R contains the HPE iLO management module, which by default enables the Virtual NIC function which exposes a "Generic USB-EEM Network Adapter" for in-band communication, assigning IP "16.1.15.2" to the host.
Hi,

can I ask if you really need this adapter in your server or if it would be an option to disable it in the ILO settings and use the regular network to access ILO?
Just want to understand why it is even needed. I see a need in case ILO is not connected to regular Network but other than that it is anyway something I would disable for security reason.
Login to ILO (as Administrator) > Security > Access Settings > Click on Edit Option Next to ILO > Unselct the option "Virtual Nic" and apply.

It can also be automated:
https://hewlettpackard.github.io/ilo-re ... irtual-nic

Thanks
Stefan
Stefan Renner

Veeam PMA
CLDonohoe
Veeam Software
Posts: 41
Liked: 21 times
Joined: May 10, 2018 2:30 pm
Full Name: Christopher Donohoe
Contact:

Re: HPE iLO Virtual NIC causes forced encryption on LAN

Post by CLDonohoe » 1 person likes this post

@rennerstefan
A feature request should be added to exclude 16.1.15.2 from our auto traffic encryption.

The Virtual NIC setting was enabled by default on iLO 5 v2.10 or later. It can indeed be disabled as you suggested. Currently, this is the only solution to the "for your safety" issue when traffic encryption is not desired.

This IP is not configurable, and any attempts to change the Virtual NIC IP will make the Virtual NIC inaccessible.
rennerstefan
Veeam Software
Posts: 688
Liked: 150 times
Joined: Jan 22, 2015 2:39 pm
Full Name: Stefan Renner
Location: Germany
Contact:

Re: HPE iLO Virtual NIC causes forced encryption on LAN

Post by rennerstefan »

thanks for confirming, I will take that to the team and see how we can address it.
Stefan Renner

Veeam PMA
Post Reply

Who is online

Users browsing this forum: Bing [Bot], Google [Bot], Majestic-12 [Bot], michael.westphal and 45 guests