docs/ipsec: Extend troubleshooting for long key rotations

This is documentation for the flag introduced in b7ecd90 ("ipsec, option: Make the IPsec key rotation delay configurable") and the problem it addresses. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
cilium · Jul 27, 2023 · 2951c86 · 2951c86
1 parent 8a811cb
commit 2951c86
Showing 1 changed file with 13 additions and 3 deletions.
diff --git a/Documentation/security/network/encryption-ipsec.rst b/Documentation/security/network/encryption-ipsec.rst
@@ -211,15 +211,25 @@ Troubleshooting
 
  * All XFRM errors correspond to a packet drop in the kernel. Except for
    ``XfrmFwdHdrError`` and ``XfrmInError``, all XFRM errors indicate a bug in
-   Cilium or an operational mistake. ``XfrmOutStateSeqError`` and
-   ``XfrmInStateProtoError`` may be caused by operational mistakes, as detailed
-   in the following points.
+   Cilium or an operational mistake. ``XfrmOutStateSeqError``,
+   ``XfrmInStateProtoError``, and ``XfrmInNoStates`` may be caused by
+   operational mistakes, as detailed in the following points.
 
  * If the sequence number reaches its maximum value for any XFRM OUT state, it
    will result in packet drops and XFRM errors of type
    ``XfrmOutStateSeqError``. A key rotation resets all sequence numbers.
    Rotate keys frequently to avoid this issue.
 
+ * After a key rotation, if the old key is cleaned up before the
+   configuration of the new key is installed on all nodes, it results in
+   ``XfrmInNoStates`` errors. The old key is removed from nodes after a default
+   interval of 5 minutes by default. By default, all agents watch for key
+   updates and update their configuration within 1 minute after the key is
+   changed, leaving plenty of time before the old key is removed. If you expect
+   the key rotation to take longer for some reason (for example, in the case of
+   Cluster Mesh if several clusters need to be updated), you can increase the
+   delay before cleanup with agent flag ``ipsec-key-rotation-duration``.
+
  * ``XfrmInStateProtoError`` errors can happen if the key is updated without
    incrementing the SPI (also called ``KEYID`` in :ref:`ipsec_key_rotation`
    instructions above). It can be fixed by performing a new key rotation,