Actions
Bug #12566
closedIPsec initiates on HA backup node when a tunnel interface is set to a gateway group
Start date:
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
22.01
Release Notes:
Default
Affected Version:
2.6.0
Affected Architecture:
Description
On a BACKUP node, when the IPsec deamon is started, any Phase1 configuration which is set to a gateway group will result in connection/initiate attempts. This behavior does not exist when the Phase1 configuration is set to a VIP. This can happen when, for example, doing the following:
- after reboot
- manually stopping/starting the service
- changing the config to switch from VIP to GW group
Separately, I also see the following in the IPsec logs of the BACKUP node. I'm not clear on what is triggering this however (it is not the keepalive option).
Dec 5 16:59:23 charon 26121 07[KNL] creating acquire job for policy 192.0.2.4/32|/0 === 198.51.100.2/32|/0 with reqid {5001} Dec 5 16:59:23 charon 26121 15[CFG] trap not found, unable to acquire reqid 5001 Dec 5 16:59:26 charon 26121 15[KNL] creating acquire job for policy 192.0.2.4/32|/0 === 198.51.100.3/32|/0 with reqid {5002} Dec 5 16:59:26 charon 26121 07[CFG] trap not found, unable to acquire reqid 5002 Dec 5 16:59:29 charon 26121 07[KNL] creating acquire job for policy 192.0.2.4/32|/0 === 198.51.100.2/32|/0 with reqid {5001} Dec 5 16:59:29 charon 26121 09[CFG] trap not found, unable to acquire reqid 5001 Dec 5 16:59:32 charon 26121 09[KNL] creating acquire job for policy 192.0.2.4/32|/0 === 198.51.100.3/32|/0 with reqid {5002} Dec 5 16:59:32 charon 26121 07[CFG] trap not found, unable to acquire reqid 5002 Dec 5 16:59:35 charon 26121 07[KNL] creating acquire job for policy 192.0.2.4/32|/0 === 198.51.100.2/32|/0 with reqid {5001} Dec 5 16:59:35 charon 26121 09[CFG] trap not found, unable to acquire reqid 5001
Related issues
Updated by Marcos M about 3 years ago
- Subject changed from When IPsec starts, all IKE_SAs are initiated when set to gateway group and the VIP is in the BACKUP state. to When IPsec starts on the backup node, IKE_SAs are initiated when bound to a gateway group.
Updated by Viktor Gurov about 3 years ago
- Related to Bug #12075: Changes to an existing IPsec configuration are not applied on HA secondary after XMLRPC sync added
Updated by Viktor Gurov about 3 years ago
Updated by Jim Pingle about 3 years ago
- Status changed from New to Pull Request Review
- Assignee set to Viktor Gurov
- Target version set to 2.6.0
- Plus Target Version set to 22.01
Updated by Viktor Gurov about 3 years ago
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
Applied in changeset af9fb2654b22b73b0100b502ab094576b317ba43.
Updated by Jim Pingle about 3 years ago
- Subject changed from When IPsec starts on the backup node, IKE_SAs are initiated when bound to a gateway group. to IPsec initiates on HA backup node when a tunnel interface is set to a gateway group
Updating subject for release notes.
Actions