AnsweredAssumed Answered

LS1021A CAAM errors when using aes

Question asked by tuomasph on Nov 7, 2017
Latest reply on Nov 30, 2017 by tuomasph

I'm getting CAAM crypto hardware errors when using IPsec VPN and aes encryption:

caam_jr 1720000.jr: 40002d1c: DECO: desc idx 45: DECO Watchdog timer timeout error

Different ipsec clients have been tested with the same result. aes encryption is the only one that causes this. Other methods like 3DES works.

 

My setup:

  • LS1021A fls-sdk v2.0-1701 (kernel 4.1.35)
  • lan interface: eth2
  • wan interfaces: eth1 and wlan0 (pcie1)

 

VPN client is configured to tunnel traffic from eth2 interface.  This error only occurs when trying to ping from the device using eth2 address as the ping source:

ping -I <eth2 address> <internet ping target>

Traffic from eth2 interface is encrypted and goes out from wlan0 interface, only pings originating from the ls1021a with source address causes errors and packets are lost.

 

Pings and traffic work if eth1 wan is used.

 

Also if hardware crypto is disabled, no errors and everything works as it should.

 

Something is happening to the traffic originating from the ls1021a device that causes crypto hardware errors.

 

Attached are debug output from CAAM. The interesting part is in the beginning of each debug files when first aead_encrypt_done function is called. After failing at encryption, CAAM starts to encrypt again but cryptlen has increased by 80 and continues to fail 13 times before giving up. Cryptlen increases by 80 after each failed attempt.

 

Same thing happens with eth1 wan when trying to ping with packet size greater than 1400. 

ping -s 1400 -I <eth2 address> <internet ping target>

This should be easy to test with any setup with IPsec and CAAM hardware.

Outcomes