neutron

VPNaaS: Support VPNaaS with L3 HA

Bug #1478012 reported by venkata anil
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Undecided
venkata anil
neutron 7.0.0 "liberty"

Bug Description

Problem: Currently VPNaaS is not supported with L3 HA.
1) When user tries to create ipsec site connection, vpn agent tries to run ipsec process on both HA master and backup routers. Running ipsec process on backup router fails as it's router interfaces will be down.

2) Running two separate ipsec processes for the same side of connection( East or West) is not allowed.

3) During HA router state transitions( master to backup and backup to master), spawning and terminating of vpn process is not handled. For example, when master transitioned to backup, that vpn connection will be lost forever(unless both the agents hosting HA routers restarted).

Solution: When VPN process is created for HA router, it should run only on HA master node. On transition from master to backup router, vpn process should be shutdown (same like disabling radvd/metadata proxy) on that agent. On transition from backup to master, vpn process should be enabled and running on that agent.

Advantages: Through this we will have the advantages of L3 HA router i.e No need for user intervention for reestablishing vpn connection when the router is down. When existing master router is down, same vpn connection will be established automatically on the new master router.

Tags: l3-ha rfe vpnaas
Revision history for this message
venkata anil (anil-venkata) wrote :

Fix already proposed for this support.
https://review.openstack.org/#/c/200636/

Revision history for this message
venkata anil (anil-venkata) wrote :

Previous bug https://bugs.launchpad.net/neutron/+bug/1471940
Got suggestion to raise a new bug for RFE and mark bug 1471940 as duplicate of the new RFE bug. So raised this bug and marked 1471940 as duplicate.

OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: nobody → venkata anil (anil-venkata)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-vpnaas (master)

Reviewed: https://review.openstack.org/200636
Committed: https://git.openstack.org/cgit/openstack/neutron-vpnaas/commit/?id=33c3fd0302b1263291ece482b3b37a030a01d5c2
Submitter: Jenkins
Branch: master

commit 33c3fd0302b1263291ece482b3b37a030a01d5c2
Author: venkata anil <email address hidden>
Date: Fri Jul 24 12:19:52 2015 +0000

    Support VPNaaS with L3 HA

    VPNaaS with a HA router is not supported now.
    This patch will enable support for VPNaaS with an HA router.

    When VPN service is created for HA router, it should run
    only on master node.
    On transition from master to backup, vpn service should be
    shutdown (same like disabling radvd) on that agent.

    On transition from backup to master, vpn service should be
    enabled and running on that agent.

    Closes-bug: #1478012
    Change-Id: I22f55b72cdc6cf608f50db902e4e3636fd59a16c

Changed in neutron:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in neutron:
milestone: none → liberty-rc1
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in neutron:
milestone: liberty-rc1 → 7.0.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.