-
Bug
-
Resolution: Done-Errata
-
Undefined
-
None
-
4.13.z
-
Moderate
-
No
-
False
-
Description of problem:
after disabling ovn-ipsec at runtime not all the IPsec connections are removed
ERROR: "ovn-810f13-0-out-1" #14: kernel: xfrm XFRM_MSG_DELPOLICYdelete(UNUSED) response for flow (in): No such file or directory (errno 2)
Version-Release number of selected component (if applicable):
4.13.0-0.ci.test-2023-08-24-231926-ci-ln-69yhlt2-latest
How reproducible:
Twice
Steps to Reproduce:
1. Enable IPsec
2. oc patch networks.operator.openshift.io cluster --type=merge -p '{"spec":{"defaultNetwork":{"ovnKubernetesConfig":{"ipsecConfig":{ }}}}}'
3. Disable IPsec
4. oc patch networks.operator.openshift.io/cluster --type=json -p='[{"op":"remove", "path":"/spec/defaultNetwork/ovnKubernetesConfig/ipsecConfig"}]'
Actual results:
sh-5.1# ovs-appctl -t ovs-monitor-ipsec ipsec/status
{'ovn-810f13-0': {'ovn-810f13-0-out-1': '000 #279: "ovn-810f13-0-out-1":500 STATE_V2_PARENT_I1 (sent IKE_SA_INIT request); RETRANSMIT in 8s; idle;'}}
sh-5.1# ovs-appctl -t ovs-monitor-ipsec tunnels/show
No tunnels configured with IPsec
000 Connection list: 000 000 "ovn-810f13-0-out-1": 10.243.64.4/32:UDP/0-65535===10.243.64.4[@14213d0b-e67a-4c38-a3f7-f0ff61c4a8b8]...10.243.1.5[@810f135f-da42-4e2c-b0ba-fb4202e2277b]===10.243.1.5/32:UDP/6081; erouted HOLD; eroute owner: #0 000 "ovn-810f13-0-out-1": oriented; my_ip=unset; their_ip=unset; mycert=ovs_certkey_14213d0b-e67a-4c38-a3f7-f0ff61c4a8b8; my_updown=ipsec _updown; 000 "ovn-810f13-0-out-1": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "ovn-810f13-0-out-1": our auth:rsasig, their auth:rsasig, our autheap:none, their autheap:none; 000 "ovn-810f13-0-out-1": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset; 000 "ovn-810f13-0-out-1": sec_label:unset; 000 "ovn-810f13-0-out-1": CAs: 'CN=openshift-ovn-kubernetes_signer-ca@1692925275'...'CN=openshift-ovn-kubernetes_signer-ca@1692925275' 000 "ovn-810f13-0-out-1": ike_life: 28800s; ipsec_life: 28800s; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "ovn-810f13-0-out-1": retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500; 000 "ovn-810f13-0-out-1": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "ovn-810f13-0-out-1": policy: IKEv2+RSASIG+ECDSA+ENCRYPT+PFS+UP+IKE_FRAG_ALLOW+ESN_NO+ESN_YES+RSASIG_v1_5; 000 "ovn-810f13-0-out-1": v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512; 000 "ovn-810f13-0-out-1": conn_prio: 32,32; interface: br-ex; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "ovn-810f13-0-out-1": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "ovn-810f13-0-out-1": our idtype: ID_FQDN; our id=@14213d0b-e67a-4c38-a3f7-f0ff61c4a8b8; their idtype: ID_FQDN; their id=@810f135f-da42-4e2c-b0ba-fb4202e2277b 000 "ovn-810f13-0-out-1": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both 000 "ovn-810f13-0-out-1": newest ISAKMP SA: #0; newest IPsec SA: #0; conn serial: $6; 000 "ovn-810f13-0-out-1": IKE algorithms: AES_GCM_16_256-HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 000 "ovn-810f13-0-out-1": ESP algorithms: AES_GCM_16_256-NONE 000 000 Total IPsec connections: loaded 1, active 0 000 000 State Information: DDoS cookies not required, Accepting new IKE connections 000 IKE SAs: total(1), half-open(1), open(0), authenticated(0), anonymous(0) 000 IPsec SAs: total(0), authenticated(0), anonymous(0) 000 000 #279: "ovn-810f13-0-out-1":500 STATE_V2_PARENT_I1 (sent IKE_SA_INIT request); RETRANSMIT in 14s; idle; 000 #279: pending CHILD SA for "ovn-810f13-0-out-1" 000
Expected results:
sh-5.1# ovs-appctl -t ovs-monitor-ipsec ipsec/status
{}
sh-5.1# ovs-appctl -t ovs-monitor-ipsec tunnels/show
No tunnels configured with IPsec
Additional info:
- links to
-
RHSA-2023:7198
OpenShift Container Platform 4.15 security update
