VPNaas:service ipsec status gives incorrect status of the ipsec tunnel.
Bug #1440655 reported by
Neeti Munshi
This bug affects 5 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Undecided
|
Paul Michali |
Bug Description
In the devstack setup with VPNaas enabled:
1. Establish a IPsec site connection between 2 devstack clouds.
2. Verify that the connection is active from both ends.
3. Now run "service ipsec status" on either of the cloud.
$ service ipsec status
IPsec running - pluto pid: 8489
pluto pid 8489
No tunnels up
4. ipsec status shows that there is no tunnel up, though there is a active and working IPsec site connection established.
Changed in neutron: | |
assignee: | nobody → Aniruddha Singh Gautam (aniruddha-gautam) |
Changed in neutron: | |
milestone: | none → liberty-1 |
status: | Fix Committed → Fix Released |
Changed in neutron: | |
milestone: | liberty-1 → 7.0.0 |
To post a comment you must log in.
The ipsec process is run in a namespace for each service. To see the underlying connection status command and output, you need to run the status command from within the namespace (see screen-q-vpn.log for examples of status checking). Rather than parsing the output of the OpenSwan though, you can use "neutron ipsec-site- connection- list" to see the status for the connection.
However, I AM seeing a related bug. It appears that the commit to set status for invalid peer address via FQDN (Bug 1405413) is not correctly setting the status for the connection as a result.
We can probably use this bug to fix that issue, as it is a status reporting issue.