Uploaded image for project: 'Fast Datapath Product'
  1. Fast Datapath Product
  2. FDP-1328 ovs-monitor-ipsec periodically deletes established IPv6 connections
  3. FDP-1359

[RHEL-9 OVS-3.4] ovs-monitor-ipsec periodically deletes established IPv6 connections

XMLWordPrintable

    • Icon: Sub-task Sub-task
    • Resolution: Done-Errata
    • Icon: Undefined Undefined
    • None
    • None
    • openvswitch3.4
    • None
    • 0
    • False
    • Hide

      None

      Show
      None
    • False
    • openvswitch3.4-3.4.2-66.el9fdp
    • rhel-9
    • rhel-net-ovs-dpdk
    • ssg_networking
    • OVS/DPDK - FDP-25.D
    • 1

       Problem Description: Clearly explain the issue.

      ovs-monitor-ipsec daemon is unable to properly detect loaded IPv6 connections when using libreswan 5.2.  It thinks that both sides of the connection are half-loaded and removes both:

      2025-04-23T12:04:29.336980248Z 2025-04-23T12:04:29Z | 851 | ovs-monitor-ipsec | INFO | ovn-e629de-0-in-1 is half-loaded, removing
2025-04-23T12:04:29.392711724Z 2025-04-23T12:04:29Z | 853 | ovs-monitor-ipsec | INFO | ovn-e629de-0-out-1 is half-loaded, removing
2025-04-23T12:04:29.449749809Z 2025-04-23T12:04:29Z | 855 | ovs-monitor-ipsec | INFO | Adding ipsec connection ovn-e629de-0-in-1
2025-04-23T12:04:29.515320415Z 2025-04-23T12:04:29Z | 857 | ovs-monitor-ipsec | INFO | Starting ipsec connection ovn-e629de-0-out-1

      And this is happening every 15 seconds not allowing a normal traffic flow in these ipsec tunnels.
       

       Impact Assessment: Describe the severity and impact (e.g., network down,availability of a workaround, etc.).

      Network is down. The issue breaks IPv6 CI lanes in OCP and will likely be a blocker for OCP 4.19 release.
       

       Software Versions: Specify the exact versions in use (e.g.,openvswitch3.1-3.1.0-147.el8fdp).

      openvswitch3.5-3.5.0-5.el9fdp
       

        Issue Type: Indicate whether this is a new issue or a regression (if a regression, state the last known working version).

      Regression from introducing tracking of loaded connections.
       

       Reproducibility: Confirm if the issue can be reproduced consistently. If not, describe how often it occurs.

      100%.
       

       Reproduction Steps: Provide detailed steps or scripts to replicate the issue.

      Setup OVS with IPsec on geneve tunnels using IPv6 addresses, but make sure that IPv6 addresses do not start with a digit.
       

       Expected Behavior: Describe what should happen under normal circumstances.

      ovs-monitor-ipsec should properly detect that tunnels are established and not try to re-create them.
       

       Observed Behavior: Explain what actually happens.

      The daemon removes and re-creates connections every 15 seconds or so.
       

       Troubleshooting Actions: Outline the steps taken to diagnose or resolve the issue so far.

      The main problem seems to be a regex in the get_loaded_conns() that expects \d to be the first character in the IP address, but it's not the right check for IPv6.

              imaximet@redhat.com Ilya Maximets
              imaximet@redhat.com Ilya Maximets
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: