Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-42987

Setting ESP offload off for bonds does not work reliably

XMLWordPrintable

    • None
    • Proposed
    • False
    • Hide

      None

      Show
      None
    • Hide
       * Previously, enabling encapsulated security payload (ESP) offload hardware when using IPSec on Open vSwitch attached interfaces would break connectivity in your cluster. To resolve this issue, [product-title] by default disables ESP hardware offload on Open vSwitch attached interfaces. This fixes the issue. (link:https://issues.redhat.com/browse/OCPBUGS-42987[*OCPBUGS-42987*])
      Show
       * Previously, enabling encapsulated security payload (ESP) offload hardware when using IPSec on Open vSwitch attached interfaces would break connectivity in your cluster. To resolve this issue, [product-title] by default disables ESP hardware offload on Open vSwitch attached interfaces. This fixes the issue. (link: https://issues.redhat.com/browse/OCPBUGS-42987 [* OCPBUGS-42987 *])
    • Bug Fix
    • Done

      It is been observed that the esp_offload kernel module might be loaded by libreswan even if bond ESP offloads have been correctly turned off.

      This might be because ipsec service and configure-ovs run at the same time, so it is possible that ipsec service starts when bond offloads are not yet turned off and trick libreswan into thinking they should be used.

      The potential fix would be to run ipsec service after configure-ovs.

              jcaamano@redhat.com Jaime Caamaño Ruiz
              jcaamano@redhat.com Jaime Caamaño Ruiz
              Ross Brattain Ross Brattain
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: