Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-61461

Two issues in CREATE_CHILD_SA processing

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • rhel-9.6
    • rhel-9.2.0.z
    • libreswan
    • None
    • libreswan-4.15-4.el9
    • Yes
    • Important
    • ZStream
    • 1
    • rhel-sst-security-crypto
    • ssg_security
    • 15
    • None
    • False
    • Hide

      None

      Show
      None
    • No
    • Crypto24Q4
    • Approved Blocker
    • Hide

      (1) following the reproducing steps in the description, no timeout is observed at ipsec auto --start
      (2) following the reproducing steps in the description, no assertion failure indicating race condition in crypto operations

      Show
      (1) following the reproducing steps in the description, no timeout is observed at ipsec auto --start (2) following the reproducing steps in the description, no assertion failure indicating race condition in crypto operations
    • None
    • None
    • Unspecified Release Note Type - Unknown
    • None

      What were you trying to do that didn't work?

      This is related to OCPBUGS-41551. See the ipsec.conf listed in the bug. The same config is repeated 399 times (we have 400 nodes). With libreswan-4.5 all works fine. After updating to 4.9 there are a couple regressions:

      • ipsec auto --start --asynchronous sometimes blocks
      • pluto sometimes hits assertion failure ("state already has outstanding crypto") and aborts

      What is the impact of this issue to you?

      Serious customer impact (see bug mentioned above). Nodes need to be restarted to keep working.

      Please provide the package NVR for which the bug is seen:

      libreswan-4.9-5.el9_2.2

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. git clone https://github.com/igsilya/ovs/tree/tmp-ipsec-reconcile-v4
      2. cd ovs
      3. ./boot.sh && ./cofigure && make -j$(nproc)
      4. sudo make -j$(nproc) check-kernel TESTSUITEFLAGS='-k reconciliation -v -d'
      5. Check tests/system-kmod-testsuite.dir/203/node-*/pluto.log

      Expected results

      No timeout or abort should be observed.

      Actual results

      There are matches of "timed out" and "state already has outstanding crypto" in the log.

              dueno@redhat.com Daiki Ueno
              omoris Ondrej Moris
              Daiki Ueno Daiki Ueno
              Ondrej Moris Ondrej Moris
              Votes:
              1 Vote for this issue
              Watchers:
              14 Start watching this issue

                Created:
                Updated: