diff options
| author |   Denys Haryachyy <garyachy@users.noreply.github.com> | 2023-07-12 17:32:55 +0300 |
|---|---|---|
| committer |   Beno�t Ganne <bganne@cisco.com> | 2023-07-27 07:45:01 +0000 |
| commit | 2652867480a185ccdeccf9ca9210a1213b82cf26 (patch) | |
| tree | 6c629448804ce1381f57896dec0b995b3dca7e81 /src/plugins/ikev2/ikev2.c | |
| parent | 0eff4e722c8565aebf8f004a30c73a64b0b921e4 (diff) | |
ikev2: cleanup stuck sessions
The following issues are fixed:
* in responder code: do lookup again as the old pointer could be
invalidated during the cleanup operation
* in initiar code: do the cleanup of session if there're no child SAs or
if there's no response from the responder during initial request (this
can easily happen if the response packet was lost/dropped/etc)
* print the state of ikev2 profile (for easier tshooting)
Type: fix
Change-Id: I853d9851c0cf131696585e3c98fa97e66789badd
Signed-off-by: Stanislav Zaikin <stanislav.zaikin@46labs.com>
Diffstat (limited to 'src/plugins/ikev2/ikev2.c')
| -rw-r--r-- | src/plugins/ikev2/ikev2.c | 36 |
1 files changed, 21 insertions, 15 deletions
diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c index f0eaa7a4355..3e808736078 100644 --- a/src/plugins/ikev2/ikev2.c +++ b/src/plugins/ikev2/ikev2.c @@ -3269,6 +3269,8 @@ ikev2_node_internal (vlib_main_t *vm, vlib_node_runtime_t *node, if (sa0->state == IKEV2_STATE_AUTHENTICATED) { ikev2_initial_contact_cleanup (ptd, sa0); + p = hash_get (ptd->sa_by_rspi, + clib_net_to_host_u64 (ike0->rspi)); ikev2_sa_match_ts (sa0); if (sa0->state != IKEV2_STATE_TS_UNACCEPTABLE) ikev2_create_tunnel_interface (vm, sa0, &sa0->childs[0], @@ -5334,24 +5336,28 @@ ikev2_mngr_process_fn (vlib_main_t * vm, vlib_node_runtime_t * rt, ikev2_child_sa_t *c; u8 del_old_ids = 0; - if (sa->state != IKEV2_STATE_AUTHENTICATED) - continue; + if (sa->state == IKEV2_STATE_SA_INIT) + { + if (vec_len (sa->childs) > 0) + vec_add1 (to_be_deleted, sa - tkm->sas); + } + else if (sa->state != IKEV2_STATE_AUTHENTICATED) + continue; - if (sa->old_remote_id_present && 0 > sa->old_id_expiration) - { - sa->old_remote_id_present = 0; - del_old_ids = 1; - } - else - sa->old_id_expiration -= 1; + if (sa->old_remote_id_present && 0 > sa->old_id_expiration) + { + sa->old_remote_id_present = 0; + del_old_ids = 1; + } + else + sa->old_id_expiration -= 1; - vec_foreach (c, sa->childs) - ikev2_mngr_process_child_sa(sa, c, del_old_ids); + vec_foreach (c, sa->childs) + ikev2_mngr_process_child_sa (sa, c, del_old_ids); - if (!km->dpd_disabled && ikev2_mngr_process_responder_sas (sa)) - vec_add1 (to_be_deleted, sa - tkm->sas); - } - /* *INDENT-ON* */ + if (!km->dpd_disabled && ikev2_mngr_process_responder_sas (sa)) + vec_add1 (to_be_deleted, sa - tkm->sas); + } vec_foreach (sai, to_be_deleted) { |