Service Engine crashes when Virtual Service packet capture with capture session key is enabled in FIPS mode
search cancel

Service Engine crashes when Virtual Service packet capture with capture session key is enabled in FIPS mode

book

Article ID: 391900

calendar_today

Updated On:

Products

VMware Avi Load Balancer

Issue/Introduction

Service Engine crashes when Virtual Service packet capture with capture session key is enabled in FIPS mode. 

Environment

Avi deployments in FIPS mode with version < 30.2.3. 

Cause

In an environment with FIPS mode enabled, if a Virtual Service packet capture with capture session key knob is enabled and the Service Engine were to receive a connection where the SSL handshake was incomplete or failed, then it could result in a Service Engine failure.

Resolution

The stack trace will include the function: ngx_get_ssl_session_key. (It should be present in initial #0 method calls)

Sample stack trace:





To investigate further, you can review the latest stack traces from the Controller or SE by accessing the following path:

CLI:

Login to Controller via ssh and run this command.Please note you have to replace the name of se_dp file here.

root@<Controller ip>:#  cat /opt/avi/archive/stack_traces/<se_dp.timestamp>.stack_trace
 
UI:
Navigate to Administration>Support>Crash Reports>Expand the latest crash file.
 
 
Workaround: Do not enable Virtual Service packet capture with capture session key knob checked in FIPS mode. 

Fix: Issue is resolved in these versions - 30.2.2-2p4

 

Powered by Wolken Software