Solaris 10 7/07 HW Release Notes

Race Condition Between EF/kcfd and IPsec Algorithm Availability (6266083)

Systems with the Solaris 10 3/05 HW1 release might cause problems with IPsec. This problem might occur on a freshly installed system or a system that imports a large number of new Service Management Facility (SMF) manifests during the boot. After these booting conditions, IPsec, which is part of svc:/network/initial:default, might be initialized prior to the encryption framework, which is part of svc:/system/cryptosvc:default. Because authentication or encryption algorithms are not available, creation of IPsec security associations might fail with an error message such as the following:


PF_KEY error: type=ADD, errno=22:
Invalid argument, diagnostic  code=40:
Unsupported authentication algorithm

For example, this error might occur when using DR on a Sun Fire E25K system, which involves IPsec services.

Workaround: Before performing operations that use IPsec services, perform the following steps after a boot that imports a large number of new SMF manifests:

  1. Issue this command after booting:


    ipsecalgs -s
    
  2. If /etc/inet/secret/ipseckeys exists on the system, also issue this command:


    ipseckey -f /etc/inet/secret/ipseckeys
    

Now you can perform actions that create IPsec security associations, such as using DR on a Sun Fire E25K system.

This procedure needs to be repeated only when a large number of new SMF manifests are imported during the boot.