Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: empty IPsec status overview #634

Closed
8191 opened this issue Jan 10, 2016 · 10 comments
Closed

Bug: empty IPsec status overview #634

8191 opened this issue Jan 10, 2016 · 10 comments
Assignees
@fichtner
Labels
upstream Third party issue
Milestone
16.7

Comments

@8191
Copy link
Member

8191 commented Jan 10, 2016

I'm afraid that's a bug in vici and not in OPNsense itself:

The IPsec: Status Overview is empty, even there are several tunnels established (ipsec status shows several SAs). The error can be traced down to /usr/local/opnsense/scripts/ipsec/list_status.py not executing successfully:

# /usr/local/opnsense/scripts/ipsec/list_status.py
Traceback (most recent call last):
  File "/usr/local/opnsense/scripts/ipsec/list_status.py", line 73, in <module>
    for sas in s.list_sas():
  File "/usr/local/opnsense/scripts/ipsec/vici/session.py", line 334, in streamed_request
    self._register_unregister(event_stream_type, False);
  File "/usr/local/opnsense/scripts/ipsec/vici/session.py", line 250, in _register_unregister
    confirm=Packet.EVENT_CONFIRM,
vici.exception.SessionException: Unexpected response type 53, expected '5' (EVENT_CONFIRM)

The response type is different after each execution. Even a very simplified vici call leads to the same exception, why I assume the bug lies somewhere in vici (or even strongSwan?):

>>> import vici
>>> s = vici.Session()
>>> sas = s.list_sas()
>>> sas.next()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "vici/session.py", line 334, in streamed_request
    self._register_unregister(event_stream_type, False);
  File "vici/session.py", line 250, in _register_unregister
    confirm=Packet.EVENT_CONFIRM,
vici.exception.SessionException: Unexpected response type 46, expected '5' (EVENT_CONFIRM)
@fichtner
Copy link
Member

Probably this? That wasn't pushed to FreeBSD ports... pfsense/FreeBSD-ports@a7cec01

@8191
Copy link
Member Author

8191 commented Jan 10, 2016

Cannot really confirm nor reject this... The strongSwan issue does not really reveal much how the deadlock exposes to the user. Any indication why you assume the deadlock might be related to that problem?

Without looking too deep into the strongSwan code, wouldn't the error also show up when using ipsec status, if the referred deadlock was the issue?

@fichtner
Copy link
Member

Similarities between *sense, timing and vici scope match and complexity not unlike your test setup: "I’m able to induce a deadlock condition in the charon daemon’s vici implementation with good repeatability using an eight-host full mesh test" vs. several tunnels.

@fichtner
Copy link
Member

The deadlock may yield an error or timeout resulting in no data to be gathered. Check your system log for configd errors or timeouts?

@fichtner fichtner added the bug Production bug label Jan 10, 2016
@fichtner fichtner added this to the 16.1 milestone Jan 10, 2016
@8191
Copy link
Member Author

8191 commented Jan 13, 2016

Just found these errors in my ipsec logs while error was present; might be related?


Jan 13 13:50:59 charon: 10[CFG] vici connection 6 unknown
Jan 13 13:50:59 charon: 10[CFG] vici connection 6 unknown
Jan 13 13:50:59 charon: 07[CFG] vici write error: Broken pipe
Jan 13 13:50:59 charon: 10[KNL] unable to query SAD entry with SPI c74cb422: No such file or directory (2)
Jan 13 13:50:59 charon: 10[KNL] unable to query SAD entry with SPI c7104cdf: No such file or directory (2)
Jan 13 13:50:59 charon: 10[KNL] unable to query SAD entry with SPI c9874632: No such file or directory (2)
Jan 13 13:50:59 charon: 10[KNL] unable to query SAD entry with SPI ce4aff68: No such file or directory (2)
Jan 13 13:50:59 charon: 10[KNL] unable to query SAD entry with SPI cd6da6a8: No such file or directory (2)
Jan 13 13:50:59 charon: 10[KNL] unable to query SAD entry with SPI ccb4ab5d: No such file or directory (2)
Jan 13 13:50:59 charon: 10[KNL] unable to query SAD entry with SPI c3324b8c: No such file or directory (2)
Jan 13 13:50:59 charon: 10[KNL] unable to query SAD entry with SPI c9199e22: No such file or directory (2)
Jan 13 13:50:59 charon: 10[KNL] unable to query SAD entry with SPI c6fcbc3b: No such file or directory (2)

@fichtner fichtner removed this from the 16.1 milestone Feb 4, 2016
@fichtner fichtner mentioned this issue Feb 14, 2016
Closed
@fichtner fichtner added upstream Third party issue and removed bug Production bug labels Feb 16, 2016
@fichtner fichtner added this to the Future milestone Feb 16, 2016
@fichtner fichtner self-assigned this Feb 16, 2016
@fichtner
Copy link
Member

There is a new patch available on a branch in the upstream repo... https://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/1185-vici-action-unlock

@fichtner fichtner modified the milestones: 16.7, Future Feb 26, 2016
@andreasvel
Copy link

Its still there...
I got it in
OPNsense 16.1.4-amd64
FreeBSD 10.2-RELEASE-p12
OpenSSL 1.0.2f 28 Jan 2016

nothing special in my IPSEC log.

@fichtner
Copy link
Member

Yes, there has been no strongswan release yet.

@jschellevis
Copy link
Member

It seems the patch mentioned by Franco was just merged, so next release of Strongswan should fix it.

@fichtner
Copy link
Member

16.1.9 will ship the new StrongSwan 5.4.0 with said patches... ports commit here: opnsense/ports@63de190

@AdSchellevis AdSchellevis mentioned this issue Sep 29, 2016
Closed
@scalfitura scalfitura mentioned this issue Dec 8, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fichtner fichtner

Labels
upstream Third party issue
Milestone
16.7
Development

No branches or pull requests
4 participants
@fichtner @8191 @jschellevis @andreasvel