Project

General

Profile

Actions

Regression #11910

closed

IPsec status tunnel descriptions are incorrect

Added by Jim Pingle 5 months ago. Updated about 1 month ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
IPsec
Target version:
Start date:
05/12/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
21.09
Release Notes:
Default
Affected Version:
2.5.2
Affected Architecture:

Description

Moving from internal Redmine since this affects CE and Plus and isn't hardware-dependent.

Original description:

I'm currently seeing wrong tunnel descriptions for site to site ipsec tunnels under 'status > ipsec'.

21.05-DEVELOPMENT (amd64)
built on Thu Apr 29 12:02:40 EDT 2021
FreeBSD 12.2-STABLE

Attached are images which indicate what I'm talking about.

I've seen this for at least a few weeks since I've been testing dev builds.

It survives reboots, and upgrades, and I see the wrong tunnel name with 'ipsec statusall' as well.

See NG 6284 for the attachments.

My note:

Probably something with the shift in numbering that Renato recently worked on (#11794). In the status output that cjl tunnel is "con8" which normally would be associated with the P1 that has an ikeid of 8, but the tunnel with an ikeid of 8 is Bob. So somehow it's not forming the expected connection numbers or it's not properly checking against the right reverse mapping when doing the status.


Files

Screen Shot 2021-06-04 at 9.32.55 AM.png (17.4 KB) Screen Shot 2021-06-04 at 9.32.55 AM.png Chris Linstruth, 06/04/2021 08:35 AM
Screen Shot 2021-06-04 at 9.32.42 AM.png (40 KB) Screen Shot 2021-06-04 at 9.32.42 AM.png Chris Linstruth, 06/04/2021 08:35 AM
ipsec_status.png (56.6 KB) ipsec_status.png Marcos Mendoza, 06/11/2021 05:06 AM
widget_overview.png (4.7 KB) widget_overview.png Marcos Mendoza, 06/11/2021 05:06 AM
widget_tunnels.png (7.65 KB) widget_tunnels.png Marcos Mendoza, 06/11/2021 05:06 AM
vti.png (51.4 KB) vti.png Marcos Mendoza, 06/25/2021 12:55 PM
ipsec_wrong_description.png (98.4 KB) ipsec_wrong_description.png Charles Hamilton, 08/02/2021 07:19 AM

Related issues

Related to Regression #11794: IPsec VTI interface names are not properly formed for more than 32 interfacesClosedRenato Botelho04/09/2021

Actions
Has duplicate Bug #12123: 2.5.2 Ipsec Tunnel Status Dashboard Widget - Count of active tunnels, and Inactive tunnels is wrongDuplicate07/10/2021

Actions
Actions #1

Updated by Jim Pingle 5 months ago

  • Related to Regression #11794: IPsec VTI interface names are not properly formed for more than 32 interfaces added
Actions #2

Updated by Jim Pingle 5 months ago

  • Plus Target Version changed from 21.05 to 21.09

Renato said the fix for this will need to wait for the next release

Actions #3

Updated by Chris Linstruth 5 months ago

Also seeing strangeness in the IPsec dashboard widget. Customer also reporting the active tunnel counts are incorrect in the widget but I can't duplicate that.

Actions #4

Updated by Marcos Mendoza 4 months ago

I can replicate the active tunnel count being incorrect, as well as incorrect status, by using P1s with the option "Gateway duplicates". See attached.

Notice on the status image, con1 should have a description of "SiteA-B-IPsec WAN2" and have a different number in the IPsec VTI range.

Actions #5

Updated by Steve Wheeler 4 months ago

I saw this behaviour when adding a VTI phase 2 to a system which already had a mobile IPSec tunnel defined.
Both configured to carry 0.0.0.0/0. Something over-matching there potentially.

Actions #6

Updated by Kris Phillips 4 months ago

Saw this yesterday. Customer has the following:

3 P1s, 2 were IKEv1 and 1 was IKEv2
3 P2s, the 2 for the IKEv1 were tunnel mode, the IKEv2 was vti

The status page would show the VTI as always disconnected, but there would be a duplicate of one of the IKEv1 tunnels with the same name, but had the VTI tunnel's information other than the description. If you hit disconnect on the duplicate it would disappear into the ether. If you hit connect on the VTI tunnel the duplicate would re-appear.

Actions #7

Updated by Renato Botelho 4 months ago

Kris Phillips wrote:

Saw this yesterday. Customer has the following:

3 P1s, 2 were IKEv1 and 1 was IKEv2
3 P2s, the 2 for the IKEv1 were tunnel mode, the IKEv2 was vti

The status page would show the VTI as always disconnected, but there would be a duplicate of one of the IKEv1 tunnels with the same name, but had the VTI tunnel's information other than the description. If you hit disconnect on the duplicate it would disappear into the ether. If you hit connect on the VTI tunnel the duplicate would re-appear.

It's a smaller scenario than the one I was using to reproduce. Is it possible to share a sanitized version of this config with me?

Actions #8

Updated by Marcos Mendoza 4 months ago

Another scenario which may be related to whatever root cause this is:

While DPD is happening, i.e. waiting for the default 5 retransmits to finish, clicking Disconnect on IPsec status page does nothing.

Actions #9

Updated by Marcos Mendoza 4 months ago

Also in another setup, just having two VTI tunnels seems to do the same thing. See image attached.

Actions #10

Updated by Jim Pingle 3 months ago

  • Tracker changed from Bug to Regression
  • Status changed from New to Confirmed
  • Priority changed from Normal to High
Actions #11

Updated by Jim Pingle 3 months ago

  • Affected Version set to 2.5.2
Actions #12

Updated by Kris Phillips 3 months ago

Ran into this today as well. This seems to happen with multiple VTI tunnels or a mix of VTI and Tunnel mode. I don't believe I've ever seen this when all tunnels were tunnel mode.

Actions #13

Updated by Jim Pingle 3 months ago

  • Has duplicate Bug #12123: 2.5.2 Ipsec Tunnel Status Dashboard Widget - Count of active tunnels, and Inactive tunnels is wrong added
Actions #14

Updated by Jim Pingle 3 months ago

  • Assignee changed from Renato Botelho to Jim Pingle

To me, I have some ideas on how to address it.

Actions #15

Updated by Jim Pingle 3 months ago

I managed to reproduce it naturally on a system here and it looks like one way this is happening is due to vtimaps making a VTI with an ifnum of 1 for example which ends up with the resulting config being con1 and ipsec1 even though the ikeid is higher (e.g. 5), and the GUI gets confused because there is another non-VTI tunnel which is, for example, con100000 because it is actually ikeid 1.

I'm working on redoing how all of this is handled (ipsec config names, ikeid, reqid, VTI interface numbering) in a fundamental way which will fix this and several other issues at the same time.

Actions #16

Updated by Jim Pingle 3 months ago

  • Status changed from Confirmed to In Progress
Actions #17

Updated by Jim Pingle 3 months ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100
Actions #18

Updated by Charles Hamilton 3 months ago

It seems this also prevents newly-added tunnels from coming up unless the VTI is disabled. Do we have an ETA on a fix yet?

Thank you!

Actions #19

Updated by Jim Pingle 3 months ago

Charles Hamilton wrote in #note-18:

It seems this also prevents newly-added tunnels from coming up unless the VTI is disabled. Do we have an ETA on a fix yet?

That should be fixed along with everything else in snapshots. Try it there.

Actions #20

Updated by Charles Hamilton 2 months ago

That should be fixed along with everything else in snapshots. Try it there.

Confirmed! 21.09.a.20210806.0100 fixes the issue. Is there an official release date for 21.09 yet?

Thanks!

Actions #21

Updated by Charles Hamilton 2 months ago

  • File error1.PNG added
  • File error2.PNG added
Actions #22

Updated by Jim Pingle 2 months ago

  • File deleted (error1.PNG)
Actions #23

Updated by Jim Pingle 2 months ago

  • File deleted (error2.PNG)
Actions #24

Updated by Jim Pingle about 1 month ago

  • Status changed from Feedback to Resolved

This is all working correctly now on current IPsec code.

Actions

Also available in: Atom PDF