← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1491679] [NEW] ipsec-site-connection-create is not back to ACTIVE state after updating admin_state_up as True -> False -> True

 

Public bug reported:

neutron vpn-service-create --name myvpnA --description "My vpnA service" routerA subA
neutron vpn-service-create --name myvpnB --description "My vpnB service" routerB subB

neutron ipsec-site-connection-create --name vpnconnectionA --vpnservice-id myvpnA \
--ikepolicy-id ikepolicy --ipsecpolicy-id ipsecpolicy --peer-address 172.24.4.102 \
--peer-id 172.24.4.102 --peer-cidr 10.2.0.0/24 --psk secret

neutron ipsec-site-connection-create --name vpnconnectionB --vpnservice-id myvpnB \
--ikepolicy-id ikepolicy --ipsecpolicy-id ipsecpolicy --peer-address 172.24.4.101 \
--peer-id 172.24.4.101 --peer-cidr 10.1.0.0/24 --psk secret

docker@ubuntu:~/devstack$ neutron ipsec-site-connection-list
+--------------------------------------+----------------+--------------+---------------+------------+-----------+--------+
| id                                   | name           | peer_address | peer_cidrs    | route_mode | auth_mode | status |
+--------------------------------------+----------------+--------------+---------------+------------+-----------+--------+
| 4ca689a5-180a-4661-bd5b-6182d9dad5e4 | vpnconnectionA | 172.24.4.102 | "10.2.0.0/24" | static     | psk       | ACTIVE |
| f65263bd-b5cf-46c5-a809-a376bec461d9 | vpnconnectionB | 172.24.4.101 | "10.1.0.0/24" | static     | psk       | ACTIVE |
+--------------------------------------+----------------+--------------+---------------+------------+-----------+--------+

Now, change the admin_state_up as false for ipsec-site-connection -
vpnconnectionA.

docker@ubuntu:~/devstack$ neutron ipsec-site-connection-list
+--------------------------------------+----------------+--------------+---------------+------------+-----------+--------+
| id                                   | name           | peer_address | peer_cidrs    | route_mode | auth_mode | status |
+--------------------------------------+----------------+--------------+---------------+------------+-----------+--------+
| 4ca689a5-180a-4661-bd5b-6182d9dad5e4 | vpnconnectionA | 172.24.4.102 | "10.2.0.0/24" | static     | psk       | DOWN   |
| f65263bd-b5cf-46c5-a809-a376bec461d9 | vpnconnectionB | 172.24.4.101 | "10.1.0.0/24" | static     | psk       | ACTIVE |
+--------------------------------------+----------------+--------------+---------------+------------+-----------+--------+

ping vm1 to vm2 does not work and ping vm2 and vm1 does not work ( this
is expected)

Change back the admin_state_up as True, the status is still shown as
DOWN, even the vpn-service for myvpnA is at DOWN

docker@ubuntu:~/devstack$ neutron ipsec-site-connection-show vpnconnectionA
+----------------+----------------------------------------------------+
| Field          | Value                                              |
+----------------+----------------------------------------------------+
| admin_state_up | True                                               |
| auth_mode      | psk                                                |
| description    |                                                    |
| dpd            | {"action": "hold", "interval": 30, "timeout": 120} |
| id             | 4ca689a5-180a-4661-bd5b-6182d9dad5e4               |
| ikepolicy_id   | d5112709-8909-4ce3-a7aa-99569474c812               |
| initiator      | bi-directional                                     |
| ipsecpolicy_id | 430ece29-8cf5-488a-b77d-798f0e7d455e               |
| mtu            | 1500                                               |
| name           | vpnconnectionA                                     |
| peer_address   | 172.24.4.102                                       |
| peer_cidrs     | 10.2.0.0/24                                        |
| peer_id        | 172.24.4.102                                       |
| psk            | secret                                             |
| route_mode     | static                                             |
| status         | DOWN                                               |
| tenant_id      | 7d0f12937859462bb7c1d5d012111dec                   |
| vpnservice_id  | 33311333-a6be-4b59-bedc-d3f1583459e7               |
+----------------+----------------------------------------------------+

docker@ubuntu:~/devstack$ neutron vpn-service-show myvpnA
+----------------+--------------------------------------+
| Field          | Value                                |
+----------------+--------------------------------------+
| admin_state_up | True                                 |
| description    | My vpnA service                      |
| external_v4_ip | 172.24.4.101                         |
| external_v6_ip |                                      |
| id             | 33311333-a6be-4b59-bedc-d3f1583459e7 |
| name           | myvpnA                               |
| router_id      | 3b4fab84-6bac-4a29-8bf2-65378e342dc4 |
| status         | DOWN                                 |
| subnet_id      | 63d99342-c9e0-41a9-993d-3c2a6e0256ad |
| tenant_id      | 7d0f12937859462bb7c1d5d012111dec     |
+----------------+--------------------------------------+

In-order to make it work, have to restart vpn-service ( meaning update
vpn-service for myvpnA's admin_state_up as True) and ipsite-connection
for vpnconnectionA's admin_state_up as True.

Is this expected behavior?

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: vpnaas

** Project changed: bagpipe-l2 => neutron

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1491679

Title:
  ipsec-site-connection-create is not back to ACTIVE state after
  updating admin_state_up as True -> False -> True

Status in neutron:
  New

Bug description:
  neutron vpn-service-create --name myvpnA --description "My vpnA service" routerA subA
  neutron vpn-service-create --name myvpnB --description "My vpnB service" routerB subB

  neutron ipsec-site-connection-create --name vpnconnectionA --vpnservice-id myvpnA \
  --ikepolicy-id ikepolicy --ipsecpolicy-id ipsecpolicy --peer-address 172.24.4.102 \
  --peer-id 172.24.4.102 --peer-cidr 10.2.0.0/24 --psk secret

  neutron ipsec-site-connection-create --name vpnconnectionB --vpnservice-id myvpnB \
  --ikepolicy-id ikepolicy --ipsecpolicy-id ipsecpolicy --peer-address 172.24.4.101 \
  --peer-id 172.24.4.101 --peer-cidr 10.1.0.0/24 --psk secret

  docker@ubuntu:~/devstack$ neutron ipsec-site-connection-list
  +--------------------------------------+----------------+--------------+---------------+------------+-----------+--------+
  | id                                   | name           | peer_address | peer_cidrs    | route_mode | auth_mode | status |
  +--------------------------------------+----------------+--------------+---------------+------------+-----------+--------+
  | 4ca689a5-180a-4661-bd5b-6182d9dad5e4 | vpnconnectionA | 172.24.4.102 | "10.2.0.0/24" | static     | psk       | ACTIVE |
  | f65263bd-b5cf-46c5-a809-a376bec461d9 | vpnconnectionB | 172.24.4.101 | "10.1.0.0/24" | static     | psk       | ACTIVE |
  +--------------------------------------+----------------+--------------+---------------+------------+-----------+--------+

  Now, change the admin_state_up as false for ipsec-site-connection -
  vpnconnectionA.

  docker@ubuntu:~/devstack$ neutron ipsec-site-connection-list
  +--------------------------------------+----------------+--------------+---------------+------------+-----------+--------+
  | id                                   | name           | peer_address | peer_cidrs    | route_mode | auth_mode | status |
  +--------------------------------------+----------------+--------------+---------------+------------+-----------+--------+
  | 4ca689a5-180a-4661-bd5b-6182d9dad5e4 | vpnconnectionA | 172.24.4.102 | "10.2.0.0/24" | static     | psk       | DOWN   |
  | f65263bd-b5cf-46c5-a809-a376bec461d9 | vpnconnectionB | 172.24.4.101 | "10.1.0.0/24" | static     | psk       | ACTIVE |
  +--------------------------------------+----------------+--------------+---------------+------------+-----------+--------+

  ping vm1 to vm2 does not work and ping vm2 and vm1 does not work (
  this is expected)

  Change back the admin_state_up as True, the status is still shown as
  DOWN, even the vpn-service for myvpnA is at DOWN

  docker@ubuntu:~/devstack$ neutron ipsec-site-connection-show vpnconnectionA
  +----------------+----------------------------------------------------+
  | Field          | Value                                              |
  +----------------+----------------------------------------------------+
  | admin_state_up | True                                               |
  | auth_mode      | psk                                                |
  | description    |                                                    |
  | dpd            | {"action": "hold", "interval": 30, "timeout": 120} |
  | id             | 4ca689a5-180a-4661-bd5b-6182d9dad5e4               |
  | ikepolicy_id   | d5112709-8909-4ce3-a7aa-99569474c812               |
  | initiator      | bi-directional                                     |
  | ipsecpolicy_id | 430ece29-8cf5-488a-b77d-798f0e7d455e               |
  | mtu            | 1500                                               |
  | name           | vpnconnectionA                                     |
  | peer_address   | 172.24.4.102                                       |
  | peer_cidrs     | 10.2.0.0/24                                        |
  | peer_id        | 172.24.4.102                                       |
  | psk            | secret                                             |
  | route_mode     | static                                             |
  | status         | DOWN                                               |
  | tenant_id      | 7d0f12937859462bb7c1d5d012111dec                   |
  | vpnservice_id  | 33311333-a6be-4b59-bedc-d3f1583459e7               |
  +----------------+----------------------------------------------------+

  docker@ubuntu:~/devstack$ neutron vpn-service-show myvpnA
  +----------------+--------------------------------------+
  | Field          | Value                                |
  +----------------+--------------------------------------+
  | admin_state_up | True                                 |
  | description    | My vpnA service                      |
  | external_v4_ip | 172.24.4.101                         |
  | external_v6_ip |                                      |
  | id             | 33311333-a6be-4b59-bedc-d3f1583459e7 |
  | name           | myvpnA                               |
  | router_id      | 3b4fab84-6bac-4a29-8bf2-65378e342dc4 |
  | status         | DOWN                                 |
  | subnet_id      | 63d99342-c9e0-41a9-993d-3c2a6e0256ad |
  | tenant_id      | 7d0f12937859462bb7c1d5d012111dec     |
  +----------------+--------------------------------------+

  In-order to make it work, have to restart vpn-service ( meaning update
  vpn-service for myvpnA's admin_state_up as True) and ipsite-connection
  for vpnconnectionA's admin_state_up as True.

  Is this expected behavior?

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1491679/+subscriptions


Follow ups