Skip to content

Cross-nodes connectivity issues with IPsec on upgrades #24780

New issue
New issue
Closed
#24773
Closed
Cross-nodes connectivity issues with IPsec on upgrades#24780
#24773
Assignees
pchaigno
Labels
affects/v1.11This issue affects v1.11 branchaffects/v1.12This issue affects v1.12 branchaffects/v1.13This issue affects v1.13 brancharea/encryptionImpacts encryption support such as IPSec, WireGuard, or kTLS.kind/bugThis is a bug in the Cilium logic.upgrade-impactThis PR has potential upgrade or downgrade impact.
@pchaigno

Description

@pchaigno
pchaigno
opened on Apr 6, 2023

When upgrading to 1.11.15, 1.12.8, or 1.13.1 with IPsec enabled, cross-node connectivity fails completely. New cluster installations on those versions are okay. This issue happens because stale Linux XFRM states and policies are left behind and they conflict with the new states and policies we install on those versions.

Mitigation

The best is obviously to wait for the fix before upgrading. If that is not possible or if the migration already happened, there are three solutions:

  1. Restart or replace the nodes such that new nodes with a clean state are used.
  2. Manually clean the XFRM states and policies on all nodes with ip x s flush && ip x p flush from Cilium agent pods.
  3. Disable IPsec.

Metadata

Metadata

Assignees

Labels

affects/v1.11This issue affects v1.11 branchaffects/v1.12This issue affects v1.12 branchaffects/v1.13This issue affects v1.13 brancharea/encryptionImpacts encryption support such as IPSec, WireGuard, or kTLS.kind/bugThis is a bug in the Cilium logic.upgrade-impactThis PR has potential upgrade or downgrade impact.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions