Hi Benoit,

Thanks for your response.

I haven't checked the keys yet. Just wanted to ask you if there was
anything this reported.
This week, am planning to dump keys at the problem time on both vpp side
(especially on the IKE application that is programming the keys) and
strongswan side and check if the local-remote key pair matches.

Doing this am sure we will get closer to root cause.



Regards,
Vijay

On Mon, 4 Apr 2022, 14:10 Benoit Ganne (bganne), <bga...@cisco.com> wrote:

> > Let me know if a similar problem was reported in vnet/ipsec.
>
> I am not aware of anything specific to that. This really looks like your
> ike implementation failed to program the right SA from time to time: once
> it failed, it remains wrong until the next re-negotiation fixes it.
> Did you check the SAs are correctly programmed when you see integrity
> failures?
>
> Best
> ben
>
> > On Fri, 1 Apr 2022, 17:39 Vijay Kumar via lists.fd.io <
> http://lists.fd.io>
> > , <vjkumar2003=gmail....@lists.fd.io <mailto:gmail....@lists.fd.io> >
> > wrote:
> >
> >
> >       Hi Neale/Benoit,
> >
> >       In my product, we don't use the ikev2 plugin of vpp. We use another
> > vendor's IKE stack (we just disabled the ikev2 vpp plugin register) which
> > will do the signalling and install keys to the vpp ipsec (our application
> > uses the ipsec_sa_add_and_lock() API to program the keys.
> >
> >       We are using VPP 21.06.
> >
> >       I am running continuous data. While I am seeing something like
> > this: -
> >
> >       There are no packet losses in the initial few rekeys. I see some
> > packet loss after some 9-10 IPSEC rekeys. The packet loss is due to the
> > failure counter "Integrity Check Failure", but it recovers when the next
> > rekey happens and the traffic continues to pass successfully.
> >       I had kept the IPSEC rekey time as 250s, so around 45min (approx 10
> > rekeys were already completed) I saw this issue. Looks like the packets
> > are fully dropped for 250s till the next rekey happens which is when the
> > recovery will happen and traffic is restored.
> >
> >       I performed the same test cases 2 more times and saw the same
> > issue. This time I cannot recollect if it was around 9/10 rekey but
> > definitely not in the first 4-5 rekeys.
> >
> >       I am not sure if the issue is in VPP vne/ipsec or in my IKE stack
> > that is generating the keys and programming vnet/ipsec.
> >
> >       Is it possible to run rekey with traffic for a longish time and let
> > me know if VPP 21.06 is not having any issue. I know the request is tough
> > but if you know of any such issue, is it good to take vnet/ipsec of
> 22.02?
> >
> >
> >       Sorry for the big description
> >
> >
> >       Regards,
> >       Vijay
> >
> >
> >
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#21195): https://lists.fd.io/g/vpp-dev/message/21195
Mute This Topic: https://lists.fd.io/mt/90176090/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to