BugZero | Red Hat BugID RHEL-89969 - Duplicate Child SAs causing IPsec broken for OCP c...

Red Hat - Defect ID: RHEL-89969

Duplicate Child SAs causing IPsec broken for OCP cluster [RHEL-10]

Red Hat - Defect ID: RHEL-89969

Duplicate Child SAs causing IPsec broken for OCP cluster [RHEL-10]

Last updated on February 23rd, 2026

BugZero Risk Score
7.6 High

Overall: 7.6

Severity: 8.2

Community: 6.9

Lifecycle: 9.1

What is the BugZero Risk Score?

Red Hat Integration

Learn more about where this data comes from

Red Hat Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Priority: Critical
Status: Release Pending
Impact Category: libreswan

Description

Issue

What were you trying to do that didn't work? While testing IPsec with 250/500 node cluster, seeing traffic over IPsec tunnels are broken, it happens with few pair of nodes, caused by duplicate child SAs present on one end and corresponding SA not found on the other side. Slack thread: https://redhat-internal.slack.com/archives/C08DNAFC85T/p1745906230814439 Libreswan upstream issue: https://github.com/libreswan/libreswan/issues/2184 What is the impact of this issue to you? This is a kind of regression issue in OCP 4.19.0 on a scaled cluster, was not seen with Libreswan 4.6 in previous OCP releases. Please provide the package NVR for which the bug is seen: Libreswan 5.12 How reproducible is this bug?: Always Steps to reproduce Expected results pod to pod connectivity should always work on a IPsec enabled cluster. Actual results pod to pod connectivity connectivity is broken.

Release Notes

No. of Comments

Resolution

Unresolved

Change history

2026-02-23 Added: 10.1

2026-02-23 Removed: 9.6

2025-08-21 Added: 9.6

Links

Relevant Products

Click on a version to see all relevant bugs

Affected versions:10.1

Fixed versions: 10.2

Relevant Products

Click on a version to see all relevant bugs

Affected versions:10.1

Fixed versions: 10.2

Top Red Hat Defects

9.2Defect ID: RHEL-150350
No package glibc-common compatibile with glibc-minimal-langpack: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/g/
9.0Defect ID: RHEL-151486
Requiring a higher version of package that is part of "base" transaction causes depsolve errors
9.0Defect ID: RHEL-152199
Unable to setup vncserver following our documentation
7.6Defect ID: RHEL-89969
Duplicate Child SAs causing IPsec broken for OCP cluster [RHEL-10]
7.6Defect ID: RHEL-86459
spurious warning printed when connecting to 'esx://' URI without trailing slash

Ready to prevent the next vendor outage?

Get a demo

Red Hat - Defect ID: RHEL-89969

Duplicate Child SAs causing IPsec broken for OCP cluster [RHEL-10]

Red Hat - Defect ID: RHEL-89969

Duplicate Child SAs causing IPsec broken for OCP cluster [RHEL-10]

Last updated on February 23rd, 2026

BugZero Risk Score7.6 High

Bug Details

Issue

Release Notes

No. of Comments

Resolution

Links

Top Red Hat Defects

Ready to prevent the next vendor outage?

BugZero Risk Score
7.6 High