Project

General

Profile

Actions

Bug #13102

open

Deleting an IPSec tunnel doesn't destroy the SA (SADs/SPDs), causes crash in status_ipsec.php

Added by → luckman212 almost 2 years ago. Updated 24 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
24.07
Release Notes:
Force Exclusion
Affected Version:
2.7.0
Affected Architecture:

Description

  • Running 22.05.a.20220426.1313 on a Netgate 6100
  • Not sure if this is a regression in 22.05 or an old bug.

Today I deleted an IKEv2 P1 (legacy, not VTI) that was active. I expected this to tear down the tunnel. It did not, so when I went to Status -> IPsec, I saw that there was still an active connection and SAs showing there. I believe at some point one of the scripts on that page (or the dashboard IPsec widget) caused this crash in PHP:

Crash report begins.  Anonymous machine information:

amd64
12.3-STABLE
FreeBSD 12.3-STABLE plus-devel-12-n202664-041fc0bc0fd pfSense

Crash report details:

PHP Errors:
[26-Apr-2022 16:29:11 America/New_York] PHP Warning:  array_key_first() expects parameter 1 to be array, null given in /usr/local/www/status_ipsec.php on line 345
[26-Apr-2022 16:29:11 America/New_York] PHP Warning:  count(): Parameter must be an array or an object that implements Countable in /usr/local/www/status_ipsec.php on line 347
[26-Apr-2022 16:29:16 America/New_York] PHP Warning:  array_key_first() expects parameter 1 to be array, null given in /usr/local/www/status_ipsec.php on line 345
[26-Apr-2022 16:29:16 America/New_York] PHP Warning:  count(): Parameter must be an array or an object that implements Countable in /usr/local/www/status_ipsec.php on line 347
[26-Apr-2022 16:29:22 America/New_York] PHP Warning:  array_key_first() expects parameter 1 to be array, null given in /usr/local/www/status_ipsec.php on line 345
[26-Apr-2022 16:29:22 America/New_York] PHP Warning:  count(): Parameter must be an array or an object that implements Countable in /usr/local/www/status_ipsec.php on line 347
[26-Apr-2022 16:29:22 America/New_York] PHP Warning:  array_key_first() expects parameter 1 to be array, null given in /usr/local/www/status_ipsec.php on line 345
[26-Apr-2022 16:29:22 America/New_York] PHP Warning:  count(): Parameter must be an array or an object that implements Countable in /usr/local/www/status_ipsec.php on line 347

No FreeBSD crash data found.

Files

liveIPSec.png (212 KB) liveIPSec.png Georgiy Tyutyunnik, 04/29/2022 08:32 AM

Related issues

Related to Bug #6624: changes in IPsec config should down the connectionConfirmedJim Pingle07/18/2016

Actions
Actions #1

Updated by Viktor Gurov almost 2 years ago

  • Project changed from pfSense Plus to pfSense
  • Category changed from IPsec to IPsec
  • Status changed from New to Confirmed
  • Release Notes changed from Default to Force Exclusion
  • Affected Version set to 2.7.0
Actions #2

Updated by Viktor Gurov almost 2 years ago

  • Related to Bug #6624: changes in IPsec config should down the connection added
Actions #3

Updated by Viktor Gurov almost 2 years ago

  • Assignee set to Viktor Gurov
Actions #4

Updated by Jim Pingle almost 2 years ago

  • Status changed from Confirmed to Pull Request Review
  • Target version set to 2.7.0
  • Plus Target Version set to 22.05
Actions #5

Updated by Viktor Gurov almost 2 years ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100
Actions #6

Updated by Georgiy Tyutyunnik almost 2 years ago

tested on
22.05-DEVELOPMENT (amd64)
built on Fri Apr 22 06:22:18 UTC 2022
FreeBSD 12.3-STABLE

bug reproduced, picture attached.
After the patch IPSec tunnel is teared down correctly, no unusual behavior

Actions #7

Updated by Viktor Gurov almost 2 years ago

  • Status changed from Feedback to Resolved
Actions #8

Updated by Jim Pingle almost 2 years ago

  • Status changed from Resolved to New
  • Plus Target Version changed from 22.05 to 22.09

I had to back the change in d90552c59e51fb13c712b6a96a51ca2462424156 out for now. On systems with a lot of tunnels it was causing a pileup of swanctl processes any time that code path was triggered.

We can revisit it for the next release.

Actions #9

Updated by Jim Pingle almost 2 years ago

  • Status changed from New to Feedback
Actions #10

Updated by Jim Pingle almost 2 years ago

  • Status changed from Feedback to New
Actions #11

Updated by Jim Pingle over 1 year ago

  • Plus Target Version changed from 22.09 to 22.11
Actions #12

Updated by Jim Pingle over 1 year ago

  • Plus Target Version changed from 22.11 to 23.01
Actions #13

Updated by Jim Pingle over 1 year ago

  • Assignee deleted (Viktor Gurov)
Actions #14

Updated by Jim Pingle over 1 year ago

  • Plus Target Version changed from 23.01 to 23.05

Can move this forward, previous attempts were too disruptive to risk given all the other changes going on for the 23.01 release already.

Actions #15

Updated by Jim Pingle 12 months ago

  • Plus Target Version changed from 23.05 to 23.09
Actions #16

Updated by Jim Pingle 10 months ago

  • Target version changed from 2.7.0 to CE-Next
Actions #17

Updated by Jim Pingle 7 months ago

  • Plus Target Version changed from 23.09 to 24.01
Actions #18

Updated by Jim Pingle 6 months ago

  • Plus Target Version changed from 24.01 to 24.03
Actions #19

Updated by Jim Pingle 24 days ago

  • Plus Target Version changed from 24.03 to 24.07
Actions

Also available in: Atom PDF