- Problem Statement: 

DR and CVC communication attempts result in ip_fanout_tcp_listen: messages

- Symptoms:

        - The messages "ip_fanout_tcp_listen: Dropping the datagram because
          the incoming packet is secure, but the recipient expects clear"
          appear in the domain logs
        - console(1M) will not connect to the domain via the network.
        - DR operations (e.g., rcfgadm, moveboard, etc.) don't work correctly
          from the SC and generate messages like this:

                DCA/DCS communication error

            

- Troubleshooting:

        NOTE:  All references to the SF15K apply equally to the SF12K.

        This problem has been reported for several reasons.  The first is
        that the domain was installed without the "OEM" package.  The second
        is that the domain was installed from a flash archive (flar) or
        any other archive which was not originally created on a SF15K domain.

        If the file /etc/inet/ipsecinit.conf does not contain the appropriate
        entries for sun-dr and cvc_hostd, this problem will occur. See below for
	examples of the default entries.


- Resolution:

        To resolve this problem, the SUNWsckmr package can be removed and
        reinstalled on the SF15K domain.


- Summary of part number and patch ID's 

- References and bug IDs

        kmd(1M)
        sckmd(1M)
        ipsec(7P)
        ipsecconf(1M)


- Additional background information:


        In the SF15K, the SC communicates with the domain using the I1 network
        in order to execute remote DR operations and to carry console
        activity (when cvcd is in networking mode).  For added security,
        this communication is encrypted using the IPSEC facilities in Solaris.

        The IPSEC configuration needs to be set up on both the domain and the
        SC in order to work successfully.  On the SC, the SMS key management
        daemon (kmd) performs IPSEC configuration for DR and CVC traffic
        using the pf_key interface to IPSEC.  The configuration used to control
        this behavior in kmd is found in /etc/opt/SUNWSMS/config/kmd_policy.cf.

        The lines in kmd_policy.cf look like this:

                        sctodom|665|tcp|ah|md5|none| |sms-dca|
                        sctodom|442|tcp|ah|md5|none| |sms-dxs|

        IPSEC in the domain is managed by sckmd(1M), the configuration for which
        is contained in the file /etc/inet/ipsecinit.conf.  Entries for DR and
        CVC are added to this file by the postinstall script for the SUNWsckmr
        package.  These entries look like this:

                { dport sun-dr ulp tcp } permit { auth_algs md5 }
                { sport sun-dr ulp tcp } apply { auth_algs md5 sa unique }
                { dport cvc_hostd ulp tcp } permit { auth_algs md5 }
                { sport cvc_hostd ulp tcp } apply { auth_algs md5 sa unique }

        It is important to note that the postinstall script will only perform
        this configuration when the package is being installed on a SF15K
        domain.  For this reason, when flar (or other) archives created
        somewhere other than a SF15K domain are used to install the domain,
        the problem documented in this article will appear

- Meta-Data/Problem categorization:

Product/Platform: SF12K/SF15K
Category:

- Keywords

ip_fanout_tcp_listen dropping datagram secure clear DCA/DCS communication SUNWsckmr