TS-5G-SW-0031 Connectivity Lost On Sites With IPsec On ASIK

No further reproduction or networking is permitted. Distributed by Nokia.
Copyrighted material licensed to muhammad-adil.murad@450connect.de on 17-10-2023.

TS-5G-SW-0031: Connectivity lost on sites
with IPsec on ASIK
Radio Network
TS-5G-SW-0031
Issue 1.0 APPROVED
Approved on 2023-02-08
Single RAN Technical Support Notes Library
Maintenance Documentation, Issue 01
© 2023 Nokia. Nokia Condential Information. Use subject to agreed restrictions on disclosure and use.
Nokia is committed to diversity and inclusion. We are continuously reviewing our customer
documentation and consulting with standards bodies to ensure that terminology is inclusive
and aligned with the industry. Our future customer documentation will be updated
accordingly.
This document includes Nokia proprietary and condential information, which may not be
distributed or disclosed to any third parties without the prior written consent of Nokia. This
document is intended for use by Nokia’s customers (“You”/”Your”) in connection with a
product purchased or licensed from any company within Nokia Group of Companies. Use this
document as agreed. You agree to notify Nokia of any errors you may nd in this document;
however, should you elect to use this document for any purpose(s) for which it is not
intended, You understand and warrant that any determinations You may make or actions
You may take will be based upon Your independent judgment and analysis of the content of
this document.
Nokia reserves the right to make changes to this document without notice. At all times, the
controlling version is the one available on Nokia’s site.
No part of this document may be modied.
NO WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO
ANY WARRANTY OF AVAILABILITY, ACCURACY, RELIABILITY, TITLE, NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, IS MADE IN RELATION TO THE
CONTENT OF THIS DOCUMENT. IN NO EVENT WILL NOKIA BE LIABLE FOR ANY DAMAGES,
INCLUDING BUT NOT LIMITED TO SPECIAL, DIRECT, INDIRECT, INCIDENTAL OR
CONSEQUENTIAL OR ANY LOSSES, SUCH AS BUT NOT LIMITED TO LOSS OF PROFIT,
REVENUE, BUSINESS INTERRUPTION, BUSINESS OPPORTUNITY OR DATA THAT MAY ARISE
FROM THE USE OF THIS DOCUMENT OR THE INFORMATION IN IT, EVEN IN THE CASE OF
ERRORS IN OR OMISSIONS FROM THIS DOCUMENT OR ITS CONTENT.
Copyright and trademark: Nokia is a registered trademark of Nokia Corporation. Other

product names mentioned in this document may be trademarks of their respective owners.
© 2023 Nokia.
2 © 2023 Nokia. Nokia confidential

Table of Contents
1 Technical Note Information ........................................................................................................ 4
Summary of changes .................................................................................................................... 6
Contact ........................................................................................................................................... 7
2 Purpose .......................................................................................................................................... 8
3 Validity ............................................................................................................................................ 9
3.1 Impacted technology ........................................................................................................ 9
3.2 Impacted system and SW releases ................................................................................. 9
3.3 Impacted products ......................................................................................................... 10
3.4 Impacted HW Unit/Version ............................................................................................ 10
3.5 Related features ............................................................................................................. 10
3.6 Related Alarms ................................................................................................................ 11
4 Keywords ..................................................................................................................................... 12
5 Executive summary .................................................................................................................... 13
6 Detailed description .................................................................................................................. 14

6.1 Enabling/disabling the SSH access ............................................................................... 15
6.2 Examples of number of days to exhaust the value in "available" ........................... 15
7 Solution and correction instructions ...................................................................................... 17

7.1 Correction availability .................................................................................................... 17
7.2 Short term workaround ................................................................................................. 17
8 References .................................................................................................................................. 18
8.1 Related Case ID ............................................................................................................... 18
© 2023 Nokia. Nokia confidential 3

1. Technical Note Information
Technical Support Note
TS-5G-SW-0031
Connectivity lost on sites with IPsec on ASIK
Radio Network
Radio Network Solutions
Single RAN (5G)
Approval date: 2023-02-08
This document contains following type of information
Informative
Preventive X
Corrective
Additional categorization
Urgent
Security
Release Upgrade
SW Update
Parametrization X
Information is classified as
Internal

5
X
© 2023 Nokia. Nokia confidential

Information is classified as
Customer Specific
All Customers
Approved version
Change

Version
1.0
Summary of changes
2023-02-08
Date
6
7
Contact your local Nokia support.
Contact
2. Purpose
This document contains generic information about products. These can be instructions that
explain problem situations in the field, instructions on how to prevent or how to recover from
problem situations, announcements about changes or preliminary information as requirements
for new features or releases.

3. Validity
3.1 Impacted technology
Technology Impact
GSM/EDGE
WCDMA
Small Cells
Single RAN X
Nokia Core
Nokia Public Sector
Data Center and Cloud Infrastructure
5G
Wi-Fi
Factory Delivery SW
3.2 Impacted system and SW releases
Tip:
The presented validity information includes the currently active software. The section is re-
assessed prior to every new System Release availability.

System Release Product SW Release(s)
22R3-SR 22R3-SR (5G - related): lower than 22R3-SR

3.2.2

2.0

4.0PD
3.3 Impacted products
Product
Single RAN (5G)
3.4 Impacted HW Unit/Version
HW Unit Product code Version(s)
ASIK 474021A 101, 102
3.5 Related features
Feature ID Feature name
5GC000264 IPsec for Backhaul

3.6 Related Alarms
Alarm number/fault ID Alarm/fault name Severity
4449047 / 9047 NE3SWS AGENT NOT CRITICAL

RESPONDING TO REQUESTS


IPsec | ASIK | 9047 |
4. Keywords
12
5. Executive summary
It may happen that on sites with installed SW 22R3-SR or later, with IPsec on ASIK, NetAct
reports alarm 9047: NE3SWS AGENT NOT RESPONDING TO REQUESTS and connectivity is lost. To
restore the KPI, site reset is needed.
This Technical Support Note provides information about affected HW and SW as well as the
procedure which can be executed in order to minimize the service impact of this problem.

6. Detailed description
In case of IPsec created for 5G SA, a crypto session is required. It contains immutable data for the
particular 5G SA. The Security association maximum lifetime (saMaxLifeTime)
parameter defines the rekey value that is configured in the system. During rekey, new 5G SA is
created, and a new crypto session is required with updated immutable data. In ASIK, DPDK uses
cryptodev which creates the session on demand once traffic flows on the particular 5G SA.
In the connectivity lost issue scenario, after rekey, the crypto session linked to the old 5G SA is not
cleaned up. It causes exhaustion the limit of crypto session (20000 sessions/context). As a result,
once this exhaustion happens, the crypto session could not be created for newly created 5G SA. It
results with traffic drop, and in case MPlane is protected via IPsec, NetAct can by unreachable.
The saMaxLifeTime parameter default value is "86400", which is the maximum of its range. It
should be configured to be lower than the Phase-2/CHILD_SA rekey configured on the peer node.
As a preventive action for the issue we can increase the saMaxLifeTime parameter value, still
keeping it lower than for the peer node. As a result, the number of rekey per day is less and so
less number of available session would be utilized.
The connectivity lost issue is observed only on 5G sites with IPsec activated for ASIK.
The issue can be checked in runtime by logging in BTS and executing the following CLI commands:
/opt/trs/bin/trs-vppctl show dpdk crypto pools | grep -A4

session_h_pool_numa0
Note:
To execute the CLI command, the Secure Shell (SSH) access is needed. For more
information, see the Enabling/disabling the SSH access section.
Example of the output message:
session_h_pool_numa0
available 200, allocated 19800 total 20000
iova 0x43f375140, flags 00000010, nb_mem_chunks 1
elt_size 192, header_size 64, trailer_size 64
private_data_size 64, total_elt_size 320

In the output message, the "available" value indicates if the issue appears. When the "available"
value decreases, the "allocated" value increases.
In the output message for the crypto session, if “available” is zero or reducing over a period of
time more than one day (depend on rekey time and traffic on newly created SA), then it can be
assumed that issue exists and connectivity to core would be impacted. For more information, see
the Examples of number of days to exhaust the value in "available" section. If it is identified that
"available" for the crypto session is about to become zero, remote reset can be done to avoid the
connectivity lost issue.
The correction is planned to be delivered from 22R3-SR onwards, as described in the Correction
availability section.
6.1 Enabling/disabling the SSH access
1. Enable SSH and root access.

Set the systemAcctPermEnable parameter value to "FALSE".
Set the actServiceAccountSsh parameter value to "TRUE".
2. Read crypto pools value.
3. Disable SSH and root access.
Set the systemAcctPermEnable parameter value to "TRUE".
Set the actServiceAccountSsh parameter value to "FALSE".
6.2 Examples of number of days to exhaust the value in

"available"
If the number of SA is less than 16 then the calculation will result in higher number of days to
exhaust the value in "available".
Value will change based on:

Number of SA in the system.
Value of the rekey.
Example of calculations for SA = 16

Rekey value = 2hr (assumption)
Number of rekey in 24 hrs = 12
Number of SA = 16 (assumption)

Number of context = Context used for initial SA + Context used for rekey = 32 + (12*16)*2
Number of days = ((20000-32)/384) = 52 days
Here Number of SA is 16, so 16*2 = 32 context/session used for the SA installed at the
beginning.
Now Per day there will be 12 rekey (24hr/2 hrs).
Since we have 16 SA and each rekey 12 times so, 16*12 = 192 SA.
Context/session for these rekeyed SA per day = 192*2 = 384.
Now calculation is (20000 – 32)/384 as 32 is constant and only consumed for 1st time while 384
is per day.
Example of calculations for SA = 5

Rekey value = 2hr
Number of rekey in 24 hrs = 12
Number of SA = 5
Number of context = Context used for initial SA + Context used for rekey = 5*2 + (12*5)*2
Number of days = ((20000-10)/120) = 166 days

7. Solution and correction instructions
7.1 Correction availability
Technology Product Correction delivery Correction

comments
Single RAN Single RAN (5G) 23R1-SR (5G - related)

4.0PD

2.0

3.2.2
7.2 Short term workaround
If it is identified that crypto session is about to become zero, an remote reset can be done to
avoid connectivity lost issue.
Reset can be done during the maintenance window, depending on Security Associations (SAs) as
follows:
For 100 SAs, reset in the maintenance window can be done if the "available" value is equal to
200.
For 1000 SAs, "available" equal to 2000 is enough to have the issue.
For smaller numbers, reset should be done immediately not to lose the connection.

8. References
8.1 Related Case ID
Related CASE number Related CASE name
02855443 9047 on multiple sites and resolved only after power cycle
[SWM][01/2023]

TS-5G-SW-0031 Connectivity Lost On Sites With IPsec On ASIK

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

TS-5G-SW-0031 Connectivity Lost On Sites With IPsec On ASIK

Uploaded by

Copyright:

Available Formats

No further reproduction or networking is permitted. Distributed by Nokia.

Copyrighted material licensed to muhammad-adil.murad@450connect.de on 17-10-2023.

Single RAN Technical Support Notes Library

Maintenance Documentation, Issue 01

No part of this document may be modied.

Copyright and trademark: Nokia is a registered trademark of Nokia Corporation. Other

2 © 2023 Nokia. Nokia confidential

1 Technical Note Information ........................................................................................................ 4

Summary of changes .................................................................................................................... 6

5 Executive summary .................................................................................................................... 13

6 Detailed description .................................................................................................................. 14

7 Solution and correction instructions ...................................................................................... 17

© 2023 Nokia. Nokia confidential 3

Technical Support Note

Connectivity lost on sites with IPsec on ASIK

Radio Network Solutions

Single RAN (5G)

Approval date: 2023-02-08

This document contains following type of information

4 © 2023 Nokia. Nokia confidential

© 2023 Nokia. Nokia confidential

© 2023 Nokia. Nokia confidential

8 © 2023 Nokia. Nokia confidential

3.1 Impacted technology

Nokia Public Sector

Data Center and Cloud Infrastructure

3.2 Impacted system and SW releases

© 2023 Nokia. Nokia confidential 9

22R3-SR 22R3-SR (5G - related): lower than 22R3-SR

22R4-SR 22R4-SR (5G - related): lower than 22R4-SR

23R1-SR 23R1-SR (5G - related): lower than 23R1-SR

3.3 Impacted products

Single RAN (5G)

3.4 Impacted HW Unit/Version

HW Unit Product code Version(s)

ASIK 474021A 101, 102

3.5 Related features

Feature ID Feature name

5GC000264 IPsec for Backhaul

10 © 2023 Nokia. Nokia confidential

Alarm number/fault ID Alarm/fault name Severity

4449047 / 9047 NE3SWS AGENT NOT CRITICAL

© 2023 Nokia. Nokia confidential 11

© 2023 Nokia. Nokia confidential

© 2023 Nokia. Nokia confidential 13

/opt/trs/bin/trs-vppctl show dpdk crypto pools | grep -A4

Example of the output message:

available 200, allocated 19800 total 20000

iova 0x43f375140, flags 00000010, nb_mem_chunks 1

elt_size 192, header_size 64, trailer_size 64

private_data_size 64, total_elt_size 320

14 © 2023 Nokia. Nokia confidential

6.1 Enabling/disabling the SSH access

1. Enable SSH and root access.

6.2 Examples of number of days to exhaust the value in

Value will change based on:

Example of calculations for SA = 16

© 2023 Nokia. Nokia confidential 15

Example of calculations for SA = 5

16 © 2023 Nokia. Nokia confidential

7.1 Correction availability

Technology Product Correction delivery Correction

Single RAN Single RAN (5G) 23R1-SR (5G - related)