> Let me know if a similar problem was reported in vnet/ipsec. I am not aware of anything specific to that. This really looks like your ike implementation failed to program the right SA from time to time: once it failed, it remains wrong until the next re-negotiation fixes it. Did you check the SAs are correctly programmed when you see integrity failures?
Best ben > On Fri, 1 Apr 2022, 17:39 Vijay Kumar via lists.fd.io <http://lists.fd.io> > , <vjkumar2003=gmail....@lists.fd.io <mailto:gmail....@lists.fd.io> > > wrote: > > > Hi Neale/Benoit, > > In my product, we don't use the ikev2 plugin of vpp. We use another > vendor's IKE stack (we just disabled the ikev2 vpp plugin register) which > will do the signalling and install keys to the vpp ipsec (our application > uses the ipsec_sa_add_and_lock() API to program the keys. > > We are using VPP 21.06. > > I am running continuous data. While I am seeing something like > this: - > > There are no packet losses in the initial few rekeys. I see some > packet loss after some 9-10 IPSEC rekeys. The packet loss is due to the > failure counter "Integrity Check Failure", but it recovers when the next > rekey happens and the traffic continues to pass successfully. > I had kept the IPSEC rekey time as 250s, so around 45min (approx 10 > rekeys were already completed) I saw this issue. Looks like the packets > are fully dropped for 250s till the next rekey happens which is when the > recovery will happen and traffic is restored. > > I performed the same test cases 2 more times and saw the same > issue. This time I cannot recollect if it was around 9/10 rekey but > definitely not in the first 4-5 rekeys. > > I am not sure if the issue is in VPP vne/ipsec or in my IKE stack > that is generating the keys and programming vnet/ipsec. > > Is it possible to run rekey with traffic for a longish time and let > me know if VPP 21.06 is not having any issue. I know the request is tough > but if you know of any such issue, is it good to take vnet/ipsec of 22.02? > > > Sorry for the big description > > > Regards, > Vijay > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#21192): https://lists.fd.io/g/vpp-dev/message/21192 Mute This Topic: https://lists.fd.io/mt/90176090/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
