• State
  • Locked Locked
  • Replies 5 replies
  • Subscribers 98 subscribers
  • Views 926 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

66AK2E02: issue with PA2 add/delete esp entry

sinan divarci
Prodigy 40 points

Part Number: 66AK2E02

hi,

i am working on k2e device's PA2 with version 3.01.01.04  of sdk. when i try to add and delete esp entrys to pa lut11 table with Pa_delHandle and Pa_addIp. neither Pa_addIp nor Pa_delHandle return error code.

I have rekey ipsec every 20 sec. While rekeying, I  add new esp entry to lut11 because of changing spi then I delete old one. After 256 rekeying ( it means 256 add and delete), The ipsec packets with new spi can not be redirected to the assigned queue or route.  But when I recieved packets that have old spi and ip address(for testing to sure wheter we can delete old spi or not),  they have directed to related route or queue so it means that we can not delete old entry with old spi and ip address. However, when PA entry is deleted, PA LLD does not return any error code.

How  can I be sure PA entries deleted or not deleted with using PA LLD?  

Could you help me how to solve this issue?

Thanks 

  • 0
    TI__Guru**** 161600 points
    Hi,

    I've notified the RTOS team. Their feedback will be posted here.

    Best Regards,
    Yordan
  • 0 in reply to Yordan Kovachev
    Prodigy 40 points

    hi,

    we have updated pa lld to the latest version of sdk(pdk_k2e_4_0_4). The problem still continues. Do you have feedback from the RTOS team?

    thanks

  • 0 in reply to sinan divarci
    TI__Guru* 95265 points
    Hi,

    Looks that you called Pa_addIp() and Pa_delHandle() multiple times, and it always return pa_OK? "I add new esp entry to lut11 because of changing spi then I delete old one"======> what is SPI and ESP? Everytime you delete an entry and add a new one, what is the difference in the Pa_addIp() each time? are they with different IP addresses?

    After 256 loops, do you see any error code from add and delete calls? If everytime you got Pa_OK, I assumed that functions did what they suppose to do. Let say from a fresh start, you have an entry for IP address 1, then you delete it. And add an IP address 2, then send packets with IP address 1, do you receive it? Or the issue has to be seen after 256 loops. Do you have a simple CCS project showing this problem and do you have to receive packets with 256 different IP addresses to show this?

    Regards, Eric
  • 0 in reply to lding
    Prodigy 40 points
    Hi,
    i have established an IPSEC tunnel between a security gateway and my k2e device. i use IKEv2 for key management. IKEv2 changes IPSEC tunnel's keys periodically. when IKEv2 changes IPSEC keys, the SPIs of the ESP packets passing through the IPSEC tunnel are changing. Therefore i must delete old PA entry(which include old ESP SPI) and add new ESP SPI entry to PA lut1_1 table. when i add an new entry, only SPI changes, ip address does not change.

    i add an entry with IP address1 and SPI1 then i add an other entry with IP address1 and SPI2 and then i delete the entry which have IP address1 and SPI1. when IKEv2 changes IPSEC tunnel's Key, i add an entry with IP address1 and SPI3, then delete the entry which have IP address1 and SPI2. PA directing packets to SA's queue if add and delete count not more than 256.

    after or before 256 add and delete calls, LLD did not return any error code. before 256 add and delete calls ESP packets successfully routed to SA's queue. but after 256 add and delete calls, ESP packets(which have latest SPI like SPI257) not directed to SA's queue.

    when i send an ESP packet with an old SPI(which i remove by using PA_delHandle() withouth any error code) to k2e device, packet directed to SA's queue. so, it means that i can not delete entrys from PA's lut1_1 table but i can add entrys to PA's lut1_1 table until it completely filled.
  • 0 in reply to sinan divarci
    TI__Guru* 95265 points

    Hi,

    Thanks for the explanation! From "so, it means that i can not delete entrys from PA's lut1_1 table but i can add entrys to PA's lut1_1 table until it completely filled."=====>Without doing all 256 add then delete,

    • if you first add with IP address1 and SPI1
    • then i add an other entry with IP address1 and SPI2
    • and then i delete the entry which have IP address1 and SPI1.

    At this stage, can you send an ESP packet with IP address 1 and SPI 1 (which i remove by using PA_delHandle() withouth any error code) to k2e device, will this delivered to SA queue? If delivered, that means the previous deletion didn't remove the entry at all. If not delivered to SA, then means the old entry was deleted.

    Regards, Eric