A SA is in-use if it is referred to by a policy. Remove it from the policy and no more traffic will use it. If you’re doing that with the workers running, then wait one worker loop before deleting the SA.
/neale From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> on behalf of jiangxiaoming via lists.fd.io <jiangxiaoming=outlook....@lists.fd.io> Date: Monday, 21 November 2022 at 12:30 To: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> Subject: Re: [vpp-dev] There is bug in esp decrypt Hi neale, Currently there is only one way detecting whether the sa is in using by checking sa counter. But if the ike is timeout and is rekeying the sa which first used by ipsec4-input-feature, the sa may has been deleted in esp_encrypt node. I rewrite the ike plugin, in my test case, there are 10k ike sessions with 20k sa in ipsec layer, and the ike timeout is 30s sa rekey timeout is 10s. The esp_encrypt node crashed frequently.
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#22223): https://lists.fd.io/g/vpp-dev/message/22223 Mute This Topic: https://lists.fd.io/mt/95086868/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-