Bug 1935599
| Summary: | [OVS IPsec] NAT-T doesn't work | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux Fast Datapath | Reporter: | qding | ||||
| Component: | openvswitch2.13 | Assignee: | Mohammad Heib <mheib> | ||||
| Status: | ASSIGNED --- | QA Contact: | qding | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | FDP 21.B | CC: | ctrautma, jhsiao, mheib, qding, ralongi | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | Type: | Bug | |||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 1760842 [details]
log for "journalctl -u ipsec"
Please see the attachment for log
[root@dell-per730-04 ~]# tcpdump -nnev -i eno1np0 esp or udp port 500 or udp port 4500
dropped privs to tcpdump
tcpdump: listening on eno1np0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:00:37.861975 00:15:4d:12:2d:ac > 3c:fd:fe:bb:1b:6c, ethertype IPv4 (0x0800), length 530: (tos 0x0, ttl 64, id 51250, offset 0, flags [DF], proto UDP (17), length 516)
10.1.1.1.500 > 10.1.1.2.500: isakmp 2.0 msgid 00000000: parent_sa ikev2_init[I]:
(sa: len=92
(p: #1 protoid=isakmp transform=10 len=92
(t: #1 type=encr id=#20 (type=keylen value=0100))
(t: #2 type=prf id=#5 )
(t: #3 type=dh id=modp2048 )
(t: #4 type=dh id=modp3072 )
(t: #5 type=dh id=modp4096 )
(t: #6 type=dh id=modp8192 )
(t: #7 type=dh id=#19 )
(t: #8 type=dh id=#20 )
(t: #9 type=dh id=#21 )
(t: #10 type=dh id=#31 )))
(v2ke: len=256 group=modp2048)
(nonce: len=32 data=(4f513f1642b8953c07bb...fedac6335f91031578c9758aa9b6019de764effa))
(n: prot_id=#0 type=16430(status))
(n: prot_id=#0 type=16388(nat_detection_source_ip))
(n: prot_id=#0 type=16389(nat_detection_destination_ip))
09:00:37.863832 3c:fd:fe:bb:1b:6c > 00:15:4d:12:2d:ac, ethertype IPv4 (0x0800), length 474: (tos 0x0, ttl 64, id 23069, offset 0, flags [DF], proto UDP (17), length 460)
10.1.1.2.500 > 10.1.1.1.500: isakmp 2.0 msgid 00000000: parent_sa ikev2_init[R]:
(sa: len=36
(p: #1 protoid=isakmp transform=3 len=36
(t: #1 type=encr id=#20 (type=keylen value=0100))
(t: #2 type=prf id=#5 )
(t: #3 type=dh id=modp2048 )))
(v2ke: len=256 group=modp2048)
(nonce: len=32 data=(566881890770f9b6f6d5...d1c930729ba38f146064c0dc4ee5db735b9f72dd))
(n: prot_id=#0 type=16430(status))
(n: prot_id=#0 type=16388(nat_detection_source_ip))
(n: prot_id=#0 type=16389(nat_detection_destination_ip))
09:00:37.865072 00:15:4d:12:2d:ac > 3c:fd:fe:bb:1b:6c, ethertype IPv4 (0x0800), length 247: (tos 0x0, ttl 64, id 51253, offset 0, flags [DF], proto UDP (17), length 233)
10.1.1.1.4500 > 10.1.1.2.4500: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa ikev2_auth[I]:
(v2e: len=169)
09:00:37.866209 3c:fd:fe:bb:1b:6c > 00:15:4d:12:2d:ac, ethertype IPv4 (0x0800), length 111: (tos 0x0, ttl 64, id 23071, offset 0, flags [DF], proto UDP (17), length 97)
10.1.1.2.4500 > 10.1.1.1.4500: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa ikev2_auth[R]:
(v2e: len=33)
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel
[root@dell-per730-04 ~]#
Hi @qding, thank you for reporting this BUG, I think the pluto daemon failed to initiate the connection. can you please attach the output of the commands below: # ipsec status # ipsec auto --start <connection name you can find it in /etc/ipsec.conf i think it's tun123-1 ) thank you so much ad sorry about the previous comment :) Hello Mohamad,
Thank you for investigating the issue and I'm sorry for the late feedback because I have too many tests recently and the machines are not available. There is one important thing that I have to mention that I'm not sure my configurations are correct for OVS NAT-T and I have no idea that if OVS really supports the feature. Just see that with the configurations IPsec tunnel does not work. Please see the log below.
[root@dell-per730-04 ~]# uname -r
4.18.0-367.el8.x86_64
[root@dell-per730-04 ~]# rpm -qa | grep openvswitch
openvswitch-selinux-extra-policy-1.0-28.el8fdp.noarch
python3-openvswitch2.16-2.16.0-53.el8fdp.x86_64
openvswitch2.16-2.16.0-53.el8fdp.x86_64
openvswitch2.16-ipsec-2.16.0-53.el8fdp.x86_64
[root@dell-per730-04 ~]#
[root@dell-per730-04 ~]# tcpdump -nnev -i eno1np0 esp or udp port 500 or udp port 4500
dropped privs to tcpdump
tcpdump: listening on eno1np0, link-type EN10MB (Ethernet), capture size 262144 bytes
05:05:21.987340 3c:fd:fe:bb:1b:6c > 00:15:4d:12:2d:ac, ethertype IPv4 (0x0800), length 530: (tos 0x0, ttl 64, id 60467, offset 0, flags [DF], proto UDP (17), length 516)
10.1.1.2.500 > 10.1.1.1.500: isakmp 2.0 msgid 00000000: parent_sa ikev2_init[I]:
(sa: len=92
(p: #1 protoid=isakmp transform=10 len=92
(t: #1 type=encr id=#20 (type=keylen value=0100))
(t: #2 type=prf id=#5 )
(t: #3 type=dh id=modp2048 )
(t: #4 type=dh id=modp3072 )
(t: #5 type=dh id=modp4096 )
(t: #6 type=dh id=modp8192 )
(t: #7 type=dh id=#19 )
(t: #8 type=dh id=#20 )
(t: #9 type=dh id=#21 )
(t: #10 type=dh id=#31 )))
(v2ke: len=256 group=modp2048)
(nonce: len=32 data=(923541f5187b133691f7...b16dc7dae181dc4dacfe6a2ee8cb2f537caf78a7))
(n: prot_id=#0 type=16430(status))
(n: prot_id=#0 type=16388(nat_detection_source_ip))
(n: prot_id=#0 type=16389(nat_detection_destination_ip))
05:05:21.989124 00:15:4d:12:2d:ac > 3c:fd:fe:bb:1b:6c, ethertype IPv4 (0x0800), length 474: (tos 0x0, ttl 64, id 41348, offset 0, flags [DF], proto UDP (17), length 460)
10.1.1.1.500 > 10.1.1.2.500: isakmp 2.0 msgid 00000000: parent_sa ikev2_init[R]:
(sa: len=36
(p: #1 protoid=isakmp transform=3 len=36
(t: #1 type=encr id=#20 (type=keylen value=0100))
(t: #2 type=prf id=#5 )
(t: #3 type=dh id=modp2048 )))
(v2ke: len=256 group=modp2048)
(nonce: len=32 data=(15b844a247f0abb446bb...c7e8f6008ce558e29ce28f94ff0a9fe9d0cd943d))
(n: prot_id=#0 type=16430(status))
(n: prot_id=#0 type=16388(nat_detection_source_ip))
(n: prot_id=#0 type=16389(nat_detection_destination_ip))
05:05:21.990539 3c:fd:fe:bb:1b:6c > 00:15:4d:12:2d:ac, ethertype IPv4 (0x0800), length 247: (tos 0x0, ttl 64, id 60469, offset 0, flags [DF], proto UDP (17), length 233)
10.1.1.2.4500 > 10.1.1.1.4500: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa ikev2_auth[I]:
(v2e: len=169)
05:05:21.991876 00:15:4d:12:2d:ac > 3c:fd:fe:bb:1b:6c, ethertype IPv4 (0x0800), length 163: (tos 0x0, ttl 64, id 41349, offset 0, flags [DF], proto UDP (17), length 149)
10.1.1.1.4500 > 10.1.1.2.4500: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa ikev2_auth[R]:
(v2e: len=85)
05:05:21.992446 3c:fd:fe:bb:1b:6c > 00:15:4d:12:2d:ac, ethertype IPv4 (0x0800), length 111: (tos 0x0, ttl 64, id 60471, offset 0, flags [DF], proto UDP (17), length 97)
10.1.1.2.4500 > 10.1.1.1.4500: NONESP-encap: isakmp 2.0 msgid 00000002: child_sa inf2[I]:
(v2e: len=33)
05:05:21.992612 00:15:4d:12:2d:ac > 3c:fd:fe:bb:1b:6c, ethertype IPv4 (0x0800), length 103: (tos 0x0, ttl 64, id 41350, offset 0, flags [DF], proto UDP (17), length 89)
10.1.1.1.4500 > 10.1.1.2.4500: NONESP-encap: isakmp 2.0 msgid 00000002: child_sa inf2[R]:
(v2e: len=25)
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
[root@dell-per730-04 ~]# ipsec status
000 using kernel interface: xfrm
000
000 interface eno1 UDP [2620:52:0:4958:1618:77ff:fe35:5b1b]:500
000 interface lo UDP [::1]:500
000 interface lo UDP 127.0.0.1:4500
000 interface lo UDP 127.0.0.1:500
000 interface eno1 UDP 10.73.88.41:4500
000 interface eno1 UDP 10.73.88.41:500
000 interface br-nat UDP 192.168.1.1:4500
000 interface br-nat UDP 192.168.1.1:500
000 interface ovsbr0 UDP 172.16.31.1:4500
000 interface ovsbr0 UDP 172.16.31.1:500
000
000 fips mode=disabled;
000 SElinux=enabled
000 seccomp=disabled
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset
000 dnssec-rootkey-file=/var/lib/unbound/root.key, dnssec-trusted=<unset>
000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
000 pluto_version=4.5, pluto_vendorid=OE-Libreswan-4.5, audit-log=yes
000 nhelpers=-1, uniqueids=yes, dnssec-enable=yes, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=30s
000 ddos-cookies-threshold=25000, ddos-max-halfopen=50000, ddos-mode=auto, ikev1-policy=accept
000 ikebuf=0, msg_errqueue=yes, crl-strict=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
000 ocsp-trust-name=<unset>
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
000 global-redirect=no, global-redirect-to=<unset>
000 secctx-attr-type=32001
000 debug:
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000
000 Kernel algorithms supported:
000
000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256
000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128
000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384
000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512
000 algorithm AH/ESP auth: name=NONE, key-length=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256
000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000 algorithm IKE DH Key Exchange: name=DH31, bits=256
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 Connection list:
000
000 "tun123-1": 192.168.1.1<192.168.1.1>:47/0...10.1.1.2<10.1.1.2>:47/0; prospective erouted; eroute owner: #0
000 "tun123-1": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "tun123-1": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "tun123-1": our auth:secret, their auth:secret
000 "tun123-1": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "tun123-1": sec_label:unset;
000 "tun123-1": ike_life: 28800s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "tun123-1": retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "tun123-1": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "tun123-1": policy: IKEv2+PSK+ENCRYPT+PFS+IKE_FRAG_ALLOW+ESN_NO;
000 "tun123-1": v2-auth-hash-policy: none;
000 "tun123-1": conn_prio: 32,32; interface: br-nat; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "tun123-1": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "tun123-1": our idtype: ID_IPV4_ADDR; our id=192.168.1.1; their idtype: ID_IPV4_ADDR; their id=10.1.1.2
000 "tun123-1": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "tun123-1": newest ISAKMP SA: #0; newest IPsec SA: #0; conn serial: $1;
000 "tun123-1": IKE algorithms: AES_GCM_16_256-HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
000 "tun123-1": ESP algorithms: AES_GCM_16_256-NONE
000
000 Total IPsec connections: loaded 1, active 0
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(0), half-open(0), open(0), authenticated(0), anonymous(0)
000 IPsec SAs: total(0), authenticated(0), anonymous(0)
000
000 Bare Shunt list:
000
[root@dell-per730-04 ~]# ipsec auto --start tun123-1
002 "tun123-1": terminating SAs using this connection
003 ERROR: "tun123-1": ERROR: netlink XFRM_MSG_DELPOLICY response for flow %discard(discard): No such file or directory (errno 2)
002 "tun123-1": added IKEv2 connection
181 "tun123-1" #7: initiating IKEv2 connection
181 "tun123-1" #7: sent IKE_SA_INIT request
182 "tun123-1" #7: sent IKE_AUTH request {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_256 group=MODP2048}
003 "tun123-1" #7: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
036 "tun123-1" #7: encountered fatal error in state STATE_V2_PARENT_I2
002 "tun123-1" #7: deleting state (STATE_V2_PARENT_I2) aged 0.00631s and NOT sending notification
002 "tun123-1" #7: deleting IKE SA but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS
[root@dell-per730-04 ~]#
|
Description of problem: OVS IPsec NAT-T doesn't work Host1: [root@dell-per730-04 ~]# ovs-vsctl show f8e547b4-6001-41f3-8458-d4b8aabbb01a Bridge ovsbr0 Port ovsbr0 Interface ovsbr0 type: internal Port tun123 Interface tun123 type: gre options: {local_ip="192.168.1.1", psk=test123, remote_ip="10.1.1.2"} Bridge br-nat Port eno1np0 Interface eno1np0 Port br-nat Interface br-nat type: internal ovs_version: "2.13.2" [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# ip add show ovsbr0 13: ovsbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 link/ether 12:08:82:54:ec:43 brd ff:ff:ff:ff:ff:ff inet 172.16.1.1/24 scope global ovsbr0 valid_lft forever preferred_lft forever inet6 fe80::1008:82ff:fe54:ec43/64 scope link valid_lft forever preferred_lft forever [root@dell-per730-04 ~]# ip add show br-nat 12: br-nat: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 link/ether 00:15:4d:12:2d:ac brd ff:ff:ff:ff:ff:ff inet 192.168.1.1/24 scope global br-nat valid_lft forever preferred_lft forever inet6 fe80::215:4dff:fe12:2dac/64 scope link valid_lft forever preferred_lft forever [root@dell-per730-04 ~]# ovs-ofctl dump-flows ovsbr0 cookie=0x0, duration=6975.392s, table=0, n_packets=282, n_bytes=16152, priority=0 actions=NORMAL [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# ovs-ofctl dump-flows br-nat cookie=0x0, duration=7046.132s, table=0, n_packets=70, n_bytes=14788, ip,nw_src=192.168.1.1 actions=ct(commit,zone=100,nat(src=10.1.1.1)),output:eno1np0 cookie=0x0, duration=7046.122s, table=0, n_packets=89, n_bytes=3738, arp,arp_spa=192.168.1.1 actions=load:0xa010101->NXM_OF_ARP_SPA[],output:eno1np0 cookie=0x0, duration=7046.127s, table=0, n_packets=379, n_bytes=178646, ip,nw_dst=10.1.1.1 actions=ct(zone=100,nat),LOCAL cookie=0x0, duration=7046.117s, table=0, n_packets=80, n_bytes=4800, arp,arp_tpa=10.1.1.1 actions=load:0xc0a80101->NXM_OF_ARP_TPA[],LOCAL [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# Host2: [root@dell-per730-05 ~]# ovs-vsctl show 3ed3c0de-7ab0-4074-b74e-c170bd22313c Bridge ovsbr0 Port tun123 Interface tun123 type: gre options: {local_ip="10.1.1.2", psk=test123, remote_ip="10.1.1.1"} Port ovsbr0 Interface ovsbr0 type: internal ovs_version: "2.13.2" [root@dell-per730-05 ~]# [root@dell-per730-05 ~]# ip add show ovsbr0 12: ovsbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 link/ether 2a:fe:fc:bb:f1:4e brd ff:ff:ff:ff:ff:ff inet 172.16.1.2/24 scope global ovsbr0 valid_lft forever preferred_lft forever inet6 fe80::28fe:fcff:febb:f14e/64 scope link valid_lft forever preferred_lft forever [root@dell-per730-05 ~]# ip add show enp4s0f0 7: enp4s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 3c:fd:fe:bb:1b:6c brd ff:ff:ff:ff:ff:ff inet 10.1.1.2/24 scope global enp4s0f0 valid_lft forever preferred_lft forever [root@dell-per730-05 ~]# [root@dell-per730-05 ~]# ovs-ofctl dump-flows ovsbr0 cookie=0x0, duration=7046.995s, table=0, n_packets=76, n_bytes=6704, priority=0 actions=NORMAL [root@dell-per730-05 ~]# Version-Release number of selected component (if applicable): [root@dell-per730-04 ~]# uname -r 4.18.0-291.el8.x86_64 [root@dell-per730-04 ~]# rpm -qa | grep openvswitch openvswitch2.13-test-2.13.0-79.5.el8fdp.noarch openvswitch-selinux-extra-policy-1.0-28.el8fdp.noarch python3-openvswitch2.13-2.13.0-79.5.el8fdp.x86_64 openvswitch2.13-ipsec-2.13.0-79.5.el8fdp.x86_64 openvswitch2.13-2.13.0-79.5.el8fdp.x86_64 [root@dell-per730-04 ~]#