VCG on 5.2.3.4 using FIPS Strict mode is unable to form VCMP tunnels.
Article ID: 379327
Updated On:
Products
Issue/Introduction
Deploying a new VCG with FIPS Strict mode enabled, the gateway is unable to form VCMP tunnels.
GWD shows the following logs repeating:
2024-10-07T18:08:37.894 |23291| ERR [VPN] conf_handler_io_read:3480 Cannot get qsec-vc-1 routing instance. Return2024-10-07T18:08:37.894 |23291| ERR [VPN] velo_checks_handler_cb:2871 Cannot get routing instance2024-10-07T18:08:37.894 |23291| ERR [VPN] conf_handler_io_read:3477 Cannot get routing instance. Try and create.2024-10-07T18:08:37.894 |23291| ERR [QUICKSEC] vc_qsec_pm_log_cb:264 LOG-E Failed creating routing instance qsec-vc-1, id -1 pointer 0.2024-10-07T18:08:37.894 |23291| ERR [VPN] conf_handler_io_read:3480 Cannot get qsec-vc-1 routing instance. Return
Seeing this error during gwd initialization:
2024-10-07T18:42:16.782 |7943| MSG [CRYPTO] vc_qsec_log_post_status:318 QuickSec POST is passed2024-10-07T18:42:16.782 |7943| ERR [QUICKSEC] vc_qsec_pm_log_cb:264 LOG-E Error 13 creating namespace fd -12024-10-07T18:42:16.782 |7943| ERR [QUICKSEC] vc_qsec_pm_log_cb:264 LOG-E Failed to switch to namespace global: Bad file descriptor fd -12024-10-07T18:42:16.841 |7943| ERROR [VPN] iked_get_routing_instance:2673 Routing instance ID for qsec-vc-1 is invalid -1
This error indicates that quicksec is attempting to open an entry in the /proc filesystem
Environment
Partner Gateway running 5.2.3.4 with FIPS STRICT mode.
Cause
This is a new software bug.
ISSUE-152385
GA releases to include the fix:
5.2.5.0
5.4.1.0
6.0.1.0
6.1.1.0
Resolution
GA releases to include the fix:
5.2.5.0
5.4.1.0
6.0.1.0
6.1.1.0
Feedback
