This service will be undergoing non-disruptive maintenance at 07:20 UTC, 2018-12-14. It is expected to last approximately 30 minutes
Bug 176455 - [CM] [RHEL4] IPSec Kernel Bug
Summary: [CM] [RHEL4] IPSec Kernel Bug
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
(Show other bugs)
Version: 4.0
Hardware: All Linux
Target Milestone: ---
: ---
Assignee: Jeff Layton
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2005-12-22 23:03 UTC by Bryan Mason
Modified: 2014-06-18 07:35 UTC (History)
4 users (show)

Fixed In Version: RHBA-2007-0304
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-05-01 23:59:50 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
backport of immediate SA switchover patch from upstream (1.86 KB, patch)
2006-10-04 13:33 UTC, Jeff Layton
no flags Details | Diff
respun patch, include dst->obsolete < 0 check (2.65 KB, patch)
2006-10-04 14:01 UTC, Jeff Layton
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2007:0304 normal SHIPPED_LIVE Updated kernel packages available for Red Hat Enterprise Linux 4 Update 5 2007-04-28 18:58:50 UTC

Comment 1 David Miller 2005-12-24 09:44:23 UTC
I already cooked up a patch so I'll take this.

Comment 6 Jeff Layton 2006-10-04 13:33:22 UTC
Created attachment 137740 [details]
backport of immediate SA switchover patch from upstream

Instead of using RHEL3's patch as a base, I backported the original upstream
patch here, since it was a little closer to the RHEL4 codebase. The original
patch is here:;a=commitdiff;h=399c180ac5f0cb66ef9479358e0b8b6bafcbeafe

There is another patch, however, that we might want to consider, which looks
like it fixed some deficiencies of the original patch:;a=commitdiff;h=d49c73c729e2ef644558a1f441c044bfacdc9744

Dave, you're more familiar with this code than I. Should I backport that one

Comment 7 Jeff Layton 2006-10-04 14:01:50 UTC
Created attachment 137743 [details]
respun patch, include dst->obsolete < 0 check

Respun patch that includes the later patch to correct the case when
dst->obsolete < 0.

Comment 8 David Miller 2006-10-04 20:40:27 UTC
Good catch Jeff, yes that second bit with the dst->obsolete check
is needed.

Comment 9 Jeff Layton 2006-10-24 11:28:52 UTC
The patch seems to have fixed the customer's Linux-Linux renegotiation problems,
but Linux-Windows doesn't seem to be working correctly still. Going to see if I
can crank up debugging in racoon and get some idea of why it's not occurring.

Essentially, network captures show the ISAKMP messages being sent back and forth
for rekeying, but the sequence number of the packets following that don't get
reset back to 1. I'm presuming this means that the rekeying failed for some reason.

Comment 11 Jeff Layton 2006-11-28 20:01:18 UTC
I'm planning to post the patch here soon, so I'll go ahead and grab this from Dave.

Comment 13 Jason Baron 2006-12-04 19:16:10 UTC
committed in stream U5 build 42.28. A test kernel with this patch is available

Comment 15 RHEL Product and Program Management 2006-12-11 15:40:57 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update

Comment 16 Jay Turner 2006-12-11 17:51:50 UTC
QE ack for 4.5.

Comment 20 Mike Gahagan 2007-03-29 15:04:11 UTC
Patch is in -52 and the customer has been using a hotfix kernel already for some

Comment 22 Red Hat Bugzilla 2007-05-01 23:59:50 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.