Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-67031

systemctl status ipsec shows "no such file or directory" when the far side drops the tunnel

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Obsolete
    • Icon: Undefined Undefined
    • None
    • rhel-8.10
    • libreswan
    • No
    • None
    • ZStream
    • rhel-sst-security-crypto
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • All
    • None

      What were you trying to do that didn't work?

      Trying to use Libreswan 4.12 with RHEL 8.6 in a lab to work around a bug with Libreswan 4.5. On a system with two tunnels: NodeA–> NodeB, and NodeA–>NodeC.

      NodeA runs Libreswan 4.12. NodeB and NodeC run Libreswan 4.5.

      NodeB drops the tunnel. The NodeC tunnel stays unchanged.

      From NodeA, do systemctl status ipsec

      It shows 

      ERROR: kernel: xfrm XFRM_MSG_DELPOLICY %pass(none) response for flow (out): No such file or directory (errno 2)

      as part of its output.

      What is the impact of this issue to you?

      The error message seems mostly annoying. It goes away after they bring the tunnel back up and NodeA clears all the bare shunts.

      Please provide the package NVR for which the bug is seen:

      Libreswan 4.12 from RHEL 8.10, but installed on RHEL 8.6.

      How reproducible is this bug?

      At will.

      Steps to reproduce

      1. Build ipsec tunnels from NodeA to NodeB and NodeA to NodeC with Libreswan 4.12 on NodeA, Libreswan 4.5 on NodeB and NodeC, RHEL 8.6 on all nodes.
      2. From NodeB, drop the tunnel.
      3. From NodeA, do `systemctl status ipsec`

      Expected results

      "systemctl status ipsec" should return the normal systemctl status info.

      Actual results

      "systemctl status ipsec" at target node A returns

          ERROR: kernel: xfrm XFRM_MSG_DELPOLICY %pass(none) response for flow (out): No such file or directory (errno 2)

          Also for connection which is down, below logs are visible while executing "sudo ipsec status" (I inserted fake IP Addresses) -

          000 Bare Shunt list:

          000

          000 1.2.3.4/32:43344 65.6.7.8/32:111 => %hold 0    acquire

          000 1.2.3.4/32:43344 6> 5.6.7.8 /32:111 => %hold 0    acquire

          000 1.2.3.4/32:0 6> 5.6.7.8 /32:111 => %hold 0    acquire

          000 1.2.3.4/32:58758 6> 5.6.7.8 /32:111 => %hold 0    acquire

          000 1.2.3.4/32:58758 6> 5.6.7.8 /32:111 => %hold 0    acquire

          000 1.2.3.4/32:0 6> 5.6.7.8 /32:111 => %hold 0    acquire

          000 1.2.3.4/32:48938 6> 5.6.7.8 /32:111 => %hold 0    acquire

       

      When tunnel came up back, this error on Node A appears multiple times until it deletes all the bare shunts. Once it clears out all bare shunts then this error stop coming.

        1. test.txt
          0.1 kB

              dueno@redhat.com Daiki Ueno
              rhn-support-gscott Greg Scott
              Daiki Ueno Daiki Ueno
              Ondrej Moris Ondrej Moris
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: