Project

General

Profile

Actions

Bug #13102

open

Deleting an IPSec tunnel doesn't destroy the SA (SADs/SPDs), causes crash in status_ipsec.php

Added by → luckman212 2 months ago. Updated about 14 hours ago.

Status:
New
Priority:
Normal
Assignee:
Viktor Gurov
Category:
IPsec
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.11
Release Notes:
Force Exclusion
Affected Version:
2.7.0
Affected Architecture:

Description

  • Running 22.05.a.20220426.1313 on a Netgate 6100
  • Not sure if this is a regression in 22.05 or an old bug.

Today I deleted an IKEv2 P1 (legacy, not VTI) that was active. I expected this to tear down the tunnel. It did not, so when I went to Status -> IPsec, I saw that there was still an active connection and SAs showing there. I believe at some point one of the scripts on that page (or the dashboard IPsec widget) caused this crash in PHP:

Crash report begins.  Anonymous machine information:

amd64
12.3-STABLE
FreeBSD 12.3-STABLE plus-devel-12-n202664-041fc0bc0fd pfSense

Crash report details:

PHP Errors:
[26-Apr-2022 16:29:11 America/New_York] PHP Warning:  array_key_first() expects parameter 1 to be array, null given in /usr/local/www/status_ipsec.php on line 345
[26-Apr-2022 16:29:11 America/New_York] PHP Warning:  count(): Parameter must be an array or an object that implements Countable in /usr/local/www/status_ipsec.php on line 347
[26-Apr-2022 16:29:16 America/New_York] PHP Warning:  array_key_first() expects parameter 1 to be array, null given in /usr/local/www/status_ipsec.php on line 345
[26-Apr-2022 16:29:16 America/New_York] PHP Warning:  count(): Parameter must be an array or an object that implements Countable in /usr/local/www/status_ipsec.php on line 347
[26-Apr-2022 16:29:22 America/New_York] PHP Warning:  array_key_first() expects parameter 1 to be array, null given in /usr/local/www/status_ipsec.php on line 345
[26-Apr-2022 16:29:22 America/New_York] PHP Warning:  count(): Parameter must be an array or an object that implements Countable in /usr/local/www/status_ipsec.php on line 347
[26-Apr-2022 16:29:22 America/New_York] PHP Warning:  array_key_first() expects parameter 1 to be array, null given in /usr/local/www/status_ipsec.php on line 345
[26-Apr-2022 16:29:22 America/New_York] PHP Warning:  count(): Parameter must be an array or an object that implements Countable in /usr/local/www/status_ipsec.php on line 347

No FreeBSD crash data found.

Files

liveIPSec.png (212 KB) liveIPSec.png Georgiy Tyutyunnik, 04/29/2022 08:32 AM

Related issues

Related to Bug #6624: changes in IPsec config should down the connectionConfirmedJim Pingle07/18/2016

Actions
Actions #1

Updated by Viktor Gurov 2 months ago

  • Project changed from pfSense Plus to pfSense
  • Category changed from IPsec to IPsec
  • Status changed from New to Confirmed
  • Release Notes changed from Default to Force Exclusion
  • Affected Version set to 2.7.0
Actions #2

Updated by Viktor Gurov 2 months ago

  • Related to Bug #6624: changes in IPsec config should down the connection added
Actions #3

Updated by Viktor Gurov 2 months ago

  • Assignee set to Viktor Gurov
Actions #4

Updated by Jim Pingle 2 months ago

  • Status changed from Confirmed to Pull Request Review
  • Target version set to 2.7.0
  • Plus Target Version set to 22.05
Actions #5

Updated by Viktor Gurov 2 months ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100
Actions #6

Updated by Georgiy Tyutyunnik 2 months ago

tested on
22.05-DEVELOPMENT (amd64)
built on Fri Apr 22 06:22:18 UTC 2022
FreeBSD 12.3-STABLE

bug reproduced, picture attached.
After the patch IPSec tunnel is teared down correctly, no unusual behavior

Actions #7

Updated by Viktor Gurov 2 months ago

  • Status changed from Feedback to Resolved
Actions #8

Updated by Jim Pingle about 1 month ago

  • Status changed from Resolved to New
  • Plus Target Version changed from 22.05 to 22.09

I had to back the change in d90552c59e51fb13c712b6a96a51ca2462424156 out for now. On systems with a lot of tunnels it was causing a pileup of swanctl processes any time that code path was triggered.

We can revisit it for the next release.

Actions #9

Updated by Jim Pingle about 1 month ago

  • Status changed from New to Feedback
Actions #10

Updated by Jim Pingle about 1 month ago

  • Status changed from Feedback to New
Actions #11

Updated by Jim Pingle about 14 hours ago

  • Plus Target Version changed from 22.09 to 22.11
Actions

Also available in: Atom PDF