Hi Neale/Benoit, In my product, we don't use the ikev2 plugin of vpp. We use another vendor's IKE stack (we just disabled the ikev2 vpp plugin register) which will do the signalling and install keys to the vpp ipsec (our application uses the ipsec_sa_add_and_lock() API to program the keys.
We are using VPP 21.06. I am running continuous data. While I am seeing something like this: - There are no packet losses in the initial few rekeys. I see some packet loss after some 9-10 IPSEC rekeys. The packet loss is due to the failure counter "Integrity Check Failure", but it recovers when the next rekey happens and the traffic continues to pass successfully. I had kept the IPSEC rekey time as 250s, so around 45min (approx 10 rekeys were already completed) I saw this issue. Looks like the packets are fully dropped for 250s till the next rekey happens which is when the recovery will happen and traffic is restored. I performed the same test cases 2 more times and saw the same issue. This time I cannot recollect if it was around 9/10 rekey but definitely not in the first 4-5 rekeys. I am not sure if the issue is in VPP vne/ipsec or in my IKE stack that is generating the keys and programming vnet/ipsec. Is it possible to run rekey with traffic for a longish time and let me know if VPP 21.06 is not having any issue. I know the request is tough but if you know of any such issue, is it good to take vnet/ipsec of 22.02? Sorry for the big description Regards, Vijay
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#21180): https://lists.fd.io/g/vpp-dev/message/21180 Mute This Topic: https://lists.fd.io/mt/90176090/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
