DR and showdevices Do Not Work After XSCF Reboot (6821108)

After rebooting the XSCF service processor on OPL systems, IPsec communications are lost. The following error message is seen on XSCF service processor:

XSCF> showdevices -d 0

Can't get device information from DomainID 0.

The following message is seen in the /var/adm/messages file on the domain:

Apr  7 11:19:20 domain-0 sckmd: [ID 205163 daemon.error] 
PF_KEY error: type=ADD, errno=17: File exists, diagnostic code=0: No diagnostic

This problem occurs because the existing Security Associations (SAs) on the domain are not deleted properly, and so the addition of the new SAs fail.

Workaround 1: Reboot the XSCF service processor twice. Half the SAs are deleted the first time and the remaining half are deleted the second time. The second addition succeeds and IPsec communication is reestablished.

Workaround 2: Delete the IPsec SAs twice on each domain before rebooting the service processor.

If you do not use IPsec for anything else on the system, the ipseckey flush will display all the SAs. If you use IPsec for other things, perform the following steps to display all SAs:

1. Get the IP addresses:

   # /usr/platform/SUNW,SPARC-Enterprise/sbin/prtdscp Domain Address: 192.168.224.2 SP Address: 192.168.224.1

2. Delete the SPIs twice using the ipseckey and prtdscp utilities:

   # ipseckey delete ah spi 0xff00 dst `/usr/platform/SUNW,SPARC-Enterprise/sbin/prtdscp -s` # ipseckey delete ah spi 0xff00 dst `/usr/platform/SUNW,SPARC-Enterprise/sbin/prtdscp -s` # ipseckey delete ah spi 0xff dst `/usr/platform/SUNW,SPARC-Enterprise/sbin/prtdscp -d` # ipseckey delete ah spi 0xff dst `/usr/platform/SUNW,SPARC-Enterprise/sbin/prtdscp -d`

   When the service processor reboots, the keys are added correctly.