DSCP: Policy Failure for the incoming packet

As a comment to my post DSCP: Domain to Service Processor Communication Protocol, Mike Beach provided the following comment:
        We are seeing ipsec messages in the system log regarding the DSCP addresses.    
        Is there an ipsec configuration option on the host that we should check?

        # dmesg |tail -1
        Jan 14 14:38:42 sco01b ip: [ID 372019 kern.error] ipsec_check_inbound_policy:   
        Policy Failure for the incoming packet (not secure); Source 192.168.037.026,    
        Destination 192.168.037.028.
My response to Mike was, "I think, in general, you can ignore the ipsec_check_inbound_policy messages. They are probably happening whenever the SCF is rebooted." But I wanted to provide a more complete response, and the tiny comment block wasn't the right place.

On a SPARC Entperprise M-class server, the SCF and Solaris use IPsec to authenticate each end of the connection when they set up a domain-to-SCF communication (DSCP) link. If for some reason the SCF reboots (during an SCF failover, when the SCF firmware is upgrade, or manually rebooted, for example), the SCF sends a reset message to Solaris to reset the TCP connection. The reset message is sent in-the-clear. When Solaris sees the message in-the-clear (that is, "not secure"), it logs the policy failure.

If you see this message only when Solaris or the SCF reboots, then it safely can be ignored. If you're seeing this at other times, or continuously logged every second, then contact your service engineer and escalate the problem to Sun.

There was a bug filed against Solaris about these messages (technically it was an RFE -- request for enhancement). In part, the bug says:

        The cause of the messages is IPsec, this system recieved a clear text packet
        but the IPsec policy on this system only allows IPsec encrypted packets, so the
        system discards the packet. To stop the system logging itself to death, there
        is a rate limiting function which will only log a message every
        ipsec_policy_log_interval milliseconds.

        The default value for ipsec_policy_log_interval is 1000 ( one second ).

        In certain configurations, messages like this are expected and after a while 
        too many messages will start to become anoying and fill up the messages file.

        This value can be tunned with ndd upto 999999 milliseconds ( just over 16 minutes )
        but can't actually be disabled. This is a request to allow the systems administrator
        to turn off these messages should they wish.
This was fixed in OpenSolaris build 37 and Solaris 10 Update 4, and allows you to specify an ipsec_policy_log_interval of 0 to turn off the logging altogether. (Caveat: I haven't actually tried the fix myself.)

Hope this provides enough information for you to understand what's going on when you see these messages.

Comments:

Post a Comment:
Comments are closed for this entry.
About

Bob Hueston

Search

Top Tags
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today