Troubleshooting
Problem
The ipfilter subsystem may hang if ipsec/mkfilt is used concurrently and vice varsa i.e ipsec subsystem may also hangs if ipfilter is used concurrently.
Symptom
The ipfilter subsystem ( Firewall service ) may hang or not function correctly if IPsec is also used concurrently. This seems to be a legacy problem and is being experienced right from the base version.
While using ipfilter firewall services we should also avoid commands which makes use of mkfilt ( to activate filter rules )such as cfgmgr/ipsec commands. This will lead to freezing of ipfilter.
While using ipfilter firewall services we should also avoid commands which makes use of mkfilt ( to activate filter rules )such as cfgmgr/ipsec commands. This will lead to freezing of ipfilter.
Cause
Cause of the problem is ipsec/mkfilt is directly replacing the filter hooks even though it is being used by ipfilter.
Since hooks are replaced ipfilter subsystem will freeze.
Similarly if ipsec is being used and if ipfilter is started this will replace the hooks with ipfilter hooks causing ipsec to stop working.
Since hooks are replaced ipfilter subsystem will freeze.
Similarly if ipsec is being used and if ipfilter is started this will replace the hooks with ipfilter hooks causing ipsec to stop working.
Environment
This is the legacy problem
In AIX.
Components impacted : Communication Applications->IPFILTERS, Security->IPSEC/IKE
Diagnosing The Problem
ipsec/mkfilt is directly replacing the filter hooks even though it is being used by ipfilter.
Since hooks are replaced ipfilter subsystem will freeze.
Similarly if ipsec is being used and if ipfilter is started this will replace the hooks with ipfilter hooks causing ipsec to stop working.
Since hooks are replaced ipfilter subsystem will freeze.
Similarly if ipsec is being used and if ipfilter is started this will replace the hooks with ipfilter hooks causing ipsec to stop working.
Resolving The Problem
At the moment this is a limitation.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Author: Manjunath Madiwalar
Operating System:
Hardware: Power
Feedback: aix_feedback@wwpdl.vnet.ibm.com,mamadiwa@in.ibm.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Document Location
Worldwide
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvxVAAQ","label":"Communication Applications->IPFILTERS"},{"code":"a8m0z000000cvziAAA","label":"Security->IPSEC\/IKE"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]
Was this topic helpful?
Document Information
Modified date:
20 July 2020
UID
ibm16246037