Project

General

Profile

Actions
Copy link

Bug #13102

open

Deleting an IPSec tunnel doesn't destroy the SA (SADs/SPDs), causes crash in status_ipsec.php

Added by → luckman212 over 2 years ago. Updated about 1 month ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
CE-Next
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
25.01
Release Notes:
Force Exclusion
Affected Version:
2.7.0
Affected Architecture:

Description

  • Running 22.05.a.20220426.1313 on a Netgate 6100
  • Not sure if this is a regression in 22.05 or an old bug.

Today I deleted an IKEv2 P1 (legacy, not VTI) that was active. I expected this to tear down the tunnel. It did not, so when I went to Status -> IPsec, I saw that there was still an active connection and SAs showing there. I believe at some point one of the scripts on that page (or the dashboard IPsec widget) caused this crash in PHP:

Crash report begins.  Anonymous machine information:

amd64
12.3-STABLE
FreeBSD 12.3-STABLE plus-devel-12-n202664-041fc0bc0fd pfSense

Crash report details:

PHP Errors:
[26-Apr-2022 16:29:11 America/New_York] PHP Warning:  array_key_first() expects parameter 1 to be array, null given in /usr/local/www/status_ipsec.php on line 345
[26-Apr-2022 16:29:11 America/New_York] PHP Warning:  count(): Parameter must be an array or an object that implements Countable in /usr/local/www/status_ipsec.php on line 347
[26-Apr-2022 16:29:16 America/New_York] PHP Warning:  array_key_first() expects parameter 1 to be array, null given in /usr/local/www/status_ipsec.php on line 345
[26-Apr-2022 16:29:16 America/New_York] PHP Warning:  count(): Parameter must be an array or an object that implements Countable in /usr/local/www/status_ipsec.php on line 347
[26-Apr-2022 16:29:22 America/New_York] PHP Warning:  array_key_first() expects parameter 1 to be array, null given in /usr/local/www/status_ipsec.php on line 345
[26-Apr-2022 16:29:22 America/New_York] PHP Warning:  count(): Parameter must be an array or an object that implements Countable in /usr/local/www/status_ipsec.php on line 347
[26-Apr-2022 16:29:22 America/New_York] PHP Warning:  array_key_first() expects parameter 1 to be array, null given in /usr/local/www/status_ipsec.php on line 345
[26-Apr-2022 16:29:22 America/New_York] PHP Warning:  count(): Parameter must be an array or an object that implements Countable in /usr/local/www/status_ipsec.php on line 347

No FreeBSD crash data found.

Files

liveIPSec.png (212 KB) liveIPSec.png Georgiy Tyutyunnik, 04/29/2022 08:32 AM

Related issues

Related to Bug #6624: changes in IPsec config should down the connectionConfirmedJim Pingle07/18/2016

Actions
Actions
Copy link
 #1

Updated by Viktor Gurov over 2 years ago

  • Project changed from pfSense Plus to pfSense
  • Category changed from IPsec to IPsec
  • Status changed from New to Confirmed
  • Release Notes changed from Default to Force Exclusion
  • Affected Version set to 2.7.0
Actions
Copy link
 #2

Updated by Viktor Gurov over 2 years ago

  • Related to Bug #6624: changes in IPsec config should down the connection added
Actions
Copy link
 #3

Updated by Viktor Gurov over 2 years ago

  • Assignee set to Viktor Gurov
Actions
Copy link
 #4

Updated by Jim Pingle over 2 years ago

  • Status changed from Confirmed to Pull Request Review
  • Target version set to 2.7.0
  • Plus Target Version set to 22.05
Actions
Copy link
 #5

Updated by Viktor Gurov over 2 years ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100
Actions
Copy link
 #6

Updated by Georgiy Tyutyunnik over 2 years ago

tested on
22.05-DEVELOPMENT (amd64)
built on Fri Apr 22 06:22:18 UTC 2022
FreeBSD 12.3-STABLE

bug reproduced, picture attached.
After the patch IPSec tunnel is teared down correctly, no unusual behavior

Actions
Copy link
 #7

Updated by Viktor Gurov over 2 years ago

  • Status changed from Feedback to Resolved
Actions
Copy link
 #8

Updated by Jim Pingle over 2 years ago

  • Status changed from Resolved to New
  • Plus Target Version changed from 22.05 to 22.09

I had to back the change in d90552c59e51fb13c712b6a96a51ca2462424156 out for now. On systems with a lot of tunnels it was causing a pileup of swanctl processes any time that code path was triggered.

We can revisit it for the next release.

Actions
Copy link
 #9

Updated by Jim Pingle over 2 years ago

  • Status changed from New to Feedback
Actions
Copy link
 #10

Updated by Jim Pingle over 2 years ago

  • Status changed from Feedback to New
Actions
Copy link
 #11

Updated by Jim Pingle over 2 years ago

  • Plus Target Version changed from 22.09 to 22.11
Actions
Copy link
 #12

Updated by Jim Pingle about 2 years ago

  • Plus Target Version changed from 22.11 to 23.01
Actions
Copy link
 #13

Updated by Jim Pingle about 2 years ago

  • Assignee deleted (Viktor Gurov)
Actions
Copy link
 #14

Updated by Jim Pingle about 2 years ago

  • Plus Target Version changed from 23.01 to 23.05

Can move this forward, previous attempts were too disruptive to risk given all the other changes going on for the 23.01 release already.

Actions
Copy link
 #15

Updated by Jim Pingle over 1 year ago

  • Plus Target Version changed from 23.05 to 23.09
Actions
Copy link
 #16

Updated by Jim Pingle over 1 year ago

  • Target version changed from 2.7.0 to CE-Next
Actions
Copy link
 #17

Updated by Jim Pingle about 1 year ago

  • Plus Target Version changed from 23.09 to 24.01
Actions
Copy link
 #18

Updated by Jim Pingle about 1 year ago

  • Plus Target Version changed from 24.01 to 24.03
Actions
Copy link
 #19

Updated by Jim Pingle 9 months ago

  • Plus Target Version changed from 24.03 to 24.07
Actions
Copy link
 #20

Updated by Jim Pingle 6 months ago

  • Plus Target Version changed from 24.07 to 24.08
Actions
Copy link
 #21

Updated by Jim Pingle about 2 months ago

  • Plus Target Version changed from 24.08 to 24.11
Actions
Copy link
 #22

Updated by Jim Pingle about 1 month ago

  • Plus Target Version changed from 24.11 to 25.01
Actions
Copy link

Also available in: Atom PDF