moby: Docker Swarm encrypted overlay network don't work with current Debian kernel 5.10.103-1

Description

After upgrade Kernel from 5.10.0-11-amd64 #1 SMP Debian 5.10.92-2 to 5.10.0-12-amd64 #1 SMP Debian 5.10.103-1 the encrypted overlay network bewteen the nodes ends in error.

Steps to reproduce the issue:

  1. Use: The Current Debian Kernel (5.10.0-12-amd64 SMP Debian 5.10.103-1)
  2. Use: Docker 20.10.13
  3. docker network create -d overlay --opt encrypted=true TestNet
  4. Start containers with the network

Describe the results you received:

  • No TCP Connection between the containers possible
  • Log output:

Mar 10 14:18:31 srv01 dockerd[1297]: time=“2022-03-10T14:18:31.277303894+01:00” level=warning msg=“Failed Adding rSA{Dst: 10.55.2.11, Src: 10.55.2.10, Proto: esp, Mode: transport, SPI: 0xd457eb22, ReqID: 0xd0c4e3, ReplayWindow: 0, Mark: <nil>, OutputMark: 0, Ifid: 0, Auth: <nil>, Crypt: <nil>, Aead: {Name: rfc4106(gcm(aes)), Key: , ICV length: 64}, Encap: <nil>, ESN: false}: invalid argument”

Mar 10 14:18:31 srv01 dockerd[1297]: time=“2022-03-10T14:18:31.277371111+01:00” level=warning msg=“Failed Adding fSA{Dst: 10.55.2.10, Src: 10.55.2.11, Proto: esp, Mode: transport, SPI: 0x29ad0c9a, ReqID: 0xd0c4e3, ReplayWindow: 0, Mark: <nil>, OutputMark: 0, Ifid: 0, Auth: <nil>, Crypt: <nil>, Aead: {Name: rfc4106(gcm(aes)), Key: , ICV length: 64}, Encap: <nil>, ESN: false}: invalid argument.”

Mar 10 14:18:31 srv01 dockerd[1297]: time=“2022-03-10T14:18:31.277415765+01:00” level=warning msg=“Adding fSP{{Dst: 10.55.2.10/32, Src: 10.55.2.11/32, Proto: 17, DstPort: 4789, SrcPort: 0, Dir: dir out, Priority: 0, Index: 0, Action: allow, Ifindex: 0, Ifid: 0, Mark: (0xd0c4e3,0xffffffff), Tmpls: [{Dst: 10.55.2.10, Src: 10.55.2.11, Proto: esp, Mode: transport, Spi: 0x29ad0c9a, Reqid: 0xd0c4e3}]}}: invalid argument”

Describe the results you expected:

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version: Docker-ce 20.10.13

Additional environment details (AWS, VirtualBox, physical, etc.):

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 19 (1 by maintainers)

Most upvoted comments

For us, networking in a Hetzner swarm did not work with linux-image-5.4.0-117-generic, but worked with linux-image-5.4.0-113-generic. Is the patch already merged?

+3
s4ke on Jun 12, 2022

Hello,

I just downloaded version 5.4.0-110-generic for Ubuntu 20.04 and it doesn’t fix the communication issue on encrypted overlay networks.

+1
sbhc68 on May 2, 2022
Read more comments on GitHub
← moby: Docker swarm DNS periodically fails
moby: docker swarm init --advertise-addr 172.17.0.1 doesn't work →