Page MenuHomeVyOS Platform

"show vpn ipsec sa" fails with exception when there are no established SAs
Closed, ResolvedPublicBUG

Description

run show vpn ipsec sa

Traceback (most recent call last):
File "/usr/libexec/vyos/op_mode/show_ipsec_sa.py", line 51, in <module>

raise e

File "/usr/libexec/vyos/op_mode/show_ipsec_sa.py", line 45, in <module>
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.19.4-amd64-vyos, x86_64):
uptime: 111 minutes, since Dec 17 19:44:31 2018
malloc: sbrk 2818048, mmap 0, used 818672, free 1999376
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
loaded plugins: charon test-vectors ldap pkcs11 tpm aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Listening IP addresses:
x.x.x.x
Connections:
peer-y.y.y.y-tunnel-vti: x.x.x.x...y.y.y.y IKEv1, dpddelay=15s
peer-y.y.y.y-tunnel-vti: local: bytes_in = hurry.filesize.size(bytes_in)
File "/usr/lib/python3/dist-packages/hurry/filesize/filesize.py", line 100, in size
[x.x.x.x] uses pre-shared key authentication
peer-y.y.y.y-tunnel-vti: remote: [y.y.y.y] uses pre-shared key authentication
peer-y.y.y.y-tunnel-vti: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
peer-y.y.y.y-tunnel-vti[604]: ESTABLISHED 31 seconds ago, x.x.x.x[x.x.x.x]...y.y.y.y[y.y.y.y]
peer-y.y.y.y-tunnel-vti[604]: IKEv1 SPIs: 84e5646fdab6d704_i* 6a65b8a54cfdb522_r, pre-shared key reauthentication in 7 hours
peer-y.y.y.y-tunnel-vti[604]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
peer-y.y.y.y-tunnel-vti{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c2a174c5_i c9d11a27_o
peer-y.y.y.y-tunnel-vti{1}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 0 bytes_i (0 pkts, 9s ago), 104 bytes_o (2 pkts, 1s ago), rekeying in 43 minutes
peer-y.y.y.y-tunnel-vti{1}: 0.0.0.0/0 === 0.0.0.0/0
peer-y.y.y.y-tunnel-vti{2}: INSTALLED if bytes >= factor:
TypeError: unorderable types: str() >= int()
, TUNNEL, reqid 1, ESP SPIs: c52738d9_i cd026001_o
peer-y.y.y.y-tunnel-vti{2}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 1988 bytes_i (16 pkts, 4s ago), 1816 bytes_o (16 pkts, 1s ago), rekeying in 45 minutes
peer-y.y.y.y-tunnel-vti{2}: 0.0.0.0/0 === 0.0.0.0/0

Details

Version
1.2.0-rc11

Event Timeline

I saw that in earlier versions too, but not in 1.2.0-RC11. Can you please retest on RC11?

syncer triaged this task as Normal priority.
syncer edited projects, added VyOS 1.2 Crux ( VyOS 1.2.0-EPA); removed VyOS 1.2 Crux.

I have tested it in the 1.2.0-rc11. The problem only present when there is no established SAs exists.

When I run show vpn ipsec sa first time (just after router start-up) - it shows an error:

ilya@R14:~$ show vpn ipsec sa
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/show_ipsec_sa.py", line 51, in <module>
    raise e
  File "/usr/libexec/vyos/op_mode/show_ipsec_sa.py", line 39, in <module>
    time, _, _, ip, id = parse_conn_spec(status)
  File "/usr/libexec/vyos/op_mode/show_ipsec_sa.py", line 11, in parse_conn_spec
    return re.search(r'.*ESTABLISHED\s+(.*)ago,\s(.*)\[(.*)\]\.\.\.(.*)\[(.*)\].*', s).groups()
AttributeError: 'NoneType' object has no attribute 'groups'

But when I run show vpn ipsec sa second time (one or two minutes ago) - it works fine and shown me list of established SAs.

Harliff changed Version from 1.2.0-rc10 to 1.2.0-rc11.Dec 25 2018, 6:46 AM

I've changed it to handle the situation gracefully. Actual display of connecting SAs is another story of course... The fix will be in the next nightly build.

vyos@vyos-test-1# run show vpn ipsec sa
No established security associations found.
Run "show vpn ipsec sa" to view inactive and connecting tunnels
dmbaturin renamed this task from show vpn ipsec sa - corrupted output in 1.2.0-rc10 to "show vpn ipsec sa" fails with exception when there are no established SAs.Dec 31 2018, 10:55 AM