Project

General

Profile

Actions

Bug #12566

open

IPsec initiates on HA backup node when a tunnel interface is set to a gateway group

Added by Marcos Mendoza about 2 months ago. Updated about 1 month ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Default
Affected Version:
2.6.0
Affected Architecture:

Description

On a BACKUP node, when the IPsec deamon is started, any Phase1 configuration which is set to a gateway group will result in connection/initiate attempts. This behavior does not exist when the Phase1 configuration is set to a VIP. This can happen when, for example, doing the following:
  1. after reboot
  2. manually stopping/starting the service
  3. changing the config to switch from VIP to GW group

Separately, I also see the following in the IPsec logs of the BACKUP node. I'm not clear on what is triggering this however (it is not the keepalive option).

Dec 5 16:59:23     charon     26121     07[KNL] creating acquire job for policy 192.0.2.4/32|/0 === 198.51.100.2/32|/0 with reqid {5001}
Dec 5 16:59:23     charon     26121     15[CFG] trap not found, unable to acquire reqid 5001
Dec 5 16:59:26     charon     26121     15[KNL] creating acquire job for policy 192.0.2.4/32|/0 === 198.51.100.3/32|/0 with reqid {5002}
Dec 5 16:59:26     charon     26121     07[CFG] trap not found, unable to acquire reqid 5002
Dec 5 16:59:29     charon     26121     07[KNL] creating acquire job for policy 192.0.2.4/32|/0 === 198.51.100.2/32|/0 with reqid {5001}
Dec 5 16:59:29     charon     26121     09[CFG] trap not found, unable to acquire reqid 5001
Dec 5 16:59:32     charon     26121     09[KNL] creating acquire job for policy 192.0.2.4/32|/0 === 198.51.100.3/32|/0 with reqid {5002}
Dec 5 16:59:32     charon     26121     07[CFG] trap not found, unable to acquire reqid 5002
Dec 5 16:59:35     charon     26121     07[KNL] creating acquire job for policy 192.0.2.4/32|/0 === 198.51.100.2/32|/0 with reqid {5001}
Dec 5 16:59:35     charon     26121     09[CFG] trap not found, unable to acquire reqid 5001 


Related issues

Related to Bug #12075: Changes to an existing IPsec configuration are not applied on HA secondary after XMLRPC syncResolvedViktor Gurov06/23/2021

Actions
Actions #1

Updated by Marcos Mendoza about 2 months ago

  • Affected Version set to 2.6.0
Actions #2

Updated by Marcos Mendoza about 2 months ago

  • Subject changed from When IPsec starts, all IKE_SAs are initiated when set to gateway group and the VIP is in the BACKUP state. to When IPsec starts on the backup node, IKE_SAs are initiated when bound to a gateway group.
Actions #3

Updated by Marcos Mendoza about 2 months ago

  • Description updated (diff)
Actions #4

Updated by Viktor Gurov about 1 month ago

  • Related to Bug #12075: Changes to an existing IPsec configuration are not applied on HA secondary after XMLRPC sync added
Actions #6

Updated by Jim Pingle about 1 month ago

  • Status changed from New to Pull Request Review
  • Assignee set to Viktor Gurov
  • Target version set to 2.6.0
  • Plus Target Version set to 22.01
Actions #7

Updated by Viktor Gurov about 1 month ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100
Actions #8

Updated by Jim Pingle about 1 month ago

  • Subject changed from When IPsec starts on the backup node, IKE_SAs are initiated when bound to a gateway group. to IPsec initiates on HA backup node when a tunnel interface is set to a gateway group

Updating subject for release notes.

Actions

Also available in: Atom PDF