From 4d1067603dd29043e7f892a77f0bbbdff42f56da Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Claus=20Lensb=C3=B8l?= <claus@tailscale.com>
Date: Mon, 15 Dec 2025 15:45:42 -0500
Subject: [PATCH] wgengine/magicksock: clear LastTSMPDiscoAdvertisement when
 rotating disco keys
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Updates #12639

Signed-off-by: Claus Lensbøl <claus@tailscale.com>
---
 wgengine/magicsock/magicsock.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/wgengine/magicsock/magicsock.go b/wgengine/magicsock/magicsock.go
index 0699bd762..aafb7b626 100644
--- a/wgengine/magicsock/magicsock.go
+++ b/wgengine/magicsock/magicsock.go
@@ -1243,7 +1243,8 @@ func (c *Conn) DiscoPublicKey() key.DiscoPublic {
 
 // RotateDiscoKey generates a new discovery key pair and updates the connection
 // to use it. This invalidates all existing disco sessions and will cause peers
-// to re-establish discovery sessions with the new key.
+// to re-establish discovery sessions with the new key. Addtionally, the
+// lastTSMPDiscoAdvertisement on all endpoints is reset to 0.
 //
 // This is primarily for debugging and testing purposes, a future enhancement
 // should provide a mechanism for seamless rotation by supporting short term use
@@ -1264,6 +1265,9 @@ func (c *Conn) RotateDiscoKey() {
 	if connCtx != nil {
 		c.ReSTUN("disco-key-rotation")
 	}
+	for _, endpoint := range c.peerMap.byEpAddr {
+		endpoint.ep.lastTSMPDiscoAdvertisement = 0
+	}
 }
 
 // determineEndpoints returns the machine's endpoint addresses. It does a STUN