yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #80511
[Bug 1850137] [NEW] Hosts in a VPNaaS-VPNaas VPN lose their interconnect.
Public bug reported:
When i building an IPSec tunnel between two projects (VPNaaS-VPNaaS) everything works fine. But after an random period of time (from 20 minutes to a week), the connection between the end hosts in the opposite local networks disappears.
Ping from the end host to the gateways of both local networks passes.
For example. There is the following topology:
host-loc-1(10.9.9.2/24) - (10.9.9.1/24)VPNaaS1 - VPNaaS2(192.168.10.1/24) - host-loc-2(192.168.10.8/24)
When a problem occurs, the address 10.9.9.2 stops pinging 192.168.10.8,
but continues to ping 192.168.10.1.
VPN connection status is active and the cause of the problem is the loss
of iptables rules in the FORWARD chain for the project namespace.
Normal condition:
"""
ip netns exec qrouter-ID iptables -L -n | grep -A 5 "Chain FORWARD"
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.10.0/24 10.9.9.0/24 policy match dir in pol ipsec reqid 1 proto 50
ACCEPT all -- 10.9.9.0/24 192.168.10.0/24 policy match dir out pol ipsec reqid 1 proto 50
neutron-filter-top all -- 0.0.0.0/0 0.0.0.0/0
neutron-l3-agent-FORWARD all -- 0.0.0.0/0 0.0.0.0/0
"""
Problem state:
"""
ip netns exec qrouter-ID iptables -L -n | grep -A 5 "Chain FORWARD"
Chain FORWARD (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- 0.0.0.0/0 0.0.0.0/0
neutron-l3-agent-FORWARD all -- 0.0.0.0/0 0.0.0.0/0
"""
How can I understand why the FORWARD rule disappears?
Installed software version:
dpkg -l | grep neutron
ii neutron-common 2:12.0.6-0ubuntu3~cloud0 all Neutron is a virtual network service for Openstack - common
ii neutron-dhcp-agent 2:12.0.6-0ubuntu3~cloud0 all Neutron is a virtual network service for Openstack - DHCP agent
ii neutron-l3-agent 2:12.0.6-0ubuntu3~cloud0 all Neutron is a virtual network service for Openstack - l3 agent
ii neutron-metadata-agent 2:12.0.6-0ubuntu3~cloud0 all Neutron is a virtual network service for Openstack - metadata agent
ii neutron-openvswitch-agent 2:12.0.6-0ubuntu3~cloud0 all Neutron is a virtual network service for Openstack - Open vSwitch plugin agent
ii python-neutron 2:12.0.6-0ubuntu3~cloud0 all Neutron is a virtual network service for Openstack - Python library
ii python-neutron-fwaas 1:12.0.1-0ubuntu1~cloud0 all Firewall-as-a-Service driver for OpenStack Neutron
ii python-neutron-lib 1.13.0-0ubuntu1~cloud0 all Neutron shared routines and utilities - Python 2.7
ii python-neutron-vpnaas 2:12.0.1-0ubuntu1~cloud0 all VPN-as-a-Service driver for OpenStack Neutron
ii python-neutronclient 1:6.7.0-0ubuntu1~cloud0 all client API library for Neutron - Python 2.7
** Affects: neutron
Importance: Undecided
Status: New
** Tags: neutron queens vpn vpnaas
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1850137
Title:
Hosts in a VPNaaS-VPNaas VPN lose their interconnect.
Status in neutron:
New
Bug description:
When i building an IPSec tunnel between two projects (VPNaaS-VPNaaS) everything works fine. But after an random period of time (from 20 minutes to a week), the connection between the end hosts in the opposite local networks disappears.
Ping from the end host to the gateways of both local networks passes.
For example. There is the following topology:
host-loc-1(10.9.9.2/24) - (10.9.9.1/24)VPNaaS1 - VPNaaS2(192.168.10.1/24) - host-loc-2(192.168.10.8/24)
When a problem occurs, the address 10.9.9.2 stops pinging
192.168.10.8, but continues to ping 192.168.10.1.
VPN connection status is active and the cause of the problem is the
loss of iptables rules in the FORWARD chain for the project namespace.
Normal condition:
"""
ip netns exec qrouter-ID iptables -L -n | grep -A 5 "Chain FORWARD"
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.10.0/24 10.9.9.0/24 policy match dir in pol ipsec reqid 1 proto 50
ACCEPT all -- 10.9.9.0/24 192.168.10.0/24 policy match dir out pol ipsec reqid 1 proto 50
neutron-filter-top all -- 0.0.0.0/0 0.0.0.0/0
neutron-l3-agent-FORWARD all -- 0.0.0.0/0 0.0.0.0/0
"""
Problem state:
"""
ip netns exec qrouter-ID iptables -L -n | grep -A 5 "Chain FORWARD"
Chain FORWARD (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- 0.0.0.0/0 0.0.0.0/0
neutron-l3-agent-FORWARD all -- 0.0.0.0/0 0.0.0.0/0
"""
How can I understand why the FORWARD rule disappears?
Installed software version:
dpkg -l | grep neutron
ii neutron-common 2:12.0.6-0ubuntu3~cloud0 all Neutron is a virtual network service for Openstack - common
ii neutron-dhcp-agent 2:12.0.6-0ubuntu3~cloud0 all Neutron is a virtual network service for Openstack - DHCP agent
ii neutron-l3-agent 2:12.0.6-0ubuntu3~cloud0 all Neutron is a virtual network service for Openstack - l3 agent
ii neutron-metadata-agent 2:12.0.6-0ubuntu3~cloud0 all Neutron is a virtual network service for Openstack - metadata agent
ii neutron-openvswitch-agent 2:12.0.6-0ubuntu3~cloud0 all Neutron is a virtual network service for Openstack - Open vSwitch plugin agent
ii python-neutron 2:12.0.6-0ubuntu3~cloud0 all Neutron is a virtual network service for Openstack - Python library
ii python-neutron-fwaas 1:12.0.1-0ubuntu1~cloud0 all Firewall-as-a-Service driver for OpenStack Neutron
ii python-neutron-lib 1.13.0-0ubuntu1~cloud0 all Neutron shared routines and utilities - Python 2.7
ii python-neutron-vpnaas 2:12.0.1-0ubuntu1~cloud0 all VPN-as-a-Service driver for OpenStack Neutron
ii python-neutronclient 1:6.7.0-0ubuntu1~cloud0 all client API library for Neutron - Python 2.7
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1850137/+subscriptions
