VMware Cloud Community

IPV6 + ipsec removing SAs breaks esxcli API


I am facing a problem on 6.0.0 and 6.7.0 esxi's that adding new sa + sp, then deleting them will leave the system broken. Haven't tried rebooting, but nothing seems to recover to the level where I could execute the "esxcli network ip ipsec sa list" command again.

It returns: Failed to add SPD Config: Unable to get SAD info for ID : **LOCALIPV6ADDR***-**REMOTEIPV6ADDR**-1-**SASPINUM** Unable to complete Sysinfo operation.  Please see the VMkernel log file for more details.: Sysinfo error: Not foundSee VMkernel log for details.

Where the ipv6 addresses and saspinum are the references to the deleted SA.

There is nothing in the log except this error message (esxcli.log).

I can create new ones, but cannot add SP because it somehow wants to call the same list command internally to find the SA by name. And since that is broken, nothing works any more.

Is there a way similar to linux's setkey flush and spdflush?

Or any other way to reconfigure the SA+SPs?

Maybe even some magic manhandling of some database to remove the offensive entry?

This must make it extremely difficult to rotate keys time2time Smiley Happy

Otherwise I think it will be hypervisor reboot to see.



Tags (5)
0 Kudos
0 Replies