Project

General

Profile

Actions

Bug #14738

closed

IPsec restart in CARP event scripts does not check VIP properly and never runs

Added by Jim Pingle 8 months ago. Updated 6 months ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
CARP
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.09
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

The IPsec interface VIP check in rc.carpmaster and rc.carpbackup is not checking the VIP presence properly and thus can never trigger.

To me, I have a fix ready and tested.

Actions #1

Updated by Jim Pingle 8 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #2

Updated by Georgiy Tyutyunnik 7 months ago

Reproduced the issue on
23.05.1-RELEASE (amd64)
built on Wed Jun 28 03:57:27 UTC 2023
FreeBSD 14.0-CURRENT

IPSec correctly initiates if I source the same IPSec tunnel from any VIP type other than CARP.
patch didn't fix the IPSec issue in my setup unfortunately

Actions #3

Updated by Jim Pingle 7 months ago

Georgiy Tyutyunnik wrote in #note-2:

Reproduced the issue on
23.05.1-RELEASE (amd64)
built on Wed Jun 28 03:57:27 UTC 2023
FreeBSD 14.0-CURRENT

IPSec correctly initiates if I source the same IPSec tunnel from any VIP type other than CARP.
patch didn't fix the IPSec issue in my setup unfortunately

That may not be an accurate test of this fix. When using a CARP VIP, check the IPsec configuration while in master and backup states. If the config is different (e.g. when in backup mode it is responder only, but not when it's in master mode), then this patch is doing all it can.

It can still take several minutes for an IPsec failover to occur no matter what the settings are, depending on DPD timing and so on.

Actions #4

Updated by Georgiy Tyutyunnik 7 months ago

I stand corrected after my config's review - patch is working

Actions #5

Updated by Jim Pingle 7 months ago

  • Status changed from Feedback to Resolved
Actions #6

Updated by Jim Pingle 6 months ago

  • Target version changed from 2.8.0 to 2.7.1
Actions

Also available in: Atom PDF