neutron

Hosts in a VPNaaS-VPNaas VPN lose their interconnect.

Bug #1850137 reported by Dmytro Kostinov on 2019-10-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	New	Undecided	Unassigned

Bug Description

When i building an IPSec tunnel between two projects (VPNaaS-VPNaaS) everything works fine. But after an random period of time (from 20 minutes to a week), the connection between the end hosts in the opposite local networks disappears.
Ping from the end host to the gateways of both local networks passes.

For example. There is the following topology:
host-loc-1(10.9.9.2/24) - (10.9.9.1/24)VPNaaS1 - VPNaaS2(192.168.10.1/24) - host-loc-2(192.168.10.8/24)

When a problem occurs, the address 10.9.9.2 stops pinging 192.168.10.8, but continues to ping 192.168.10.1.

VPN connection status is active and the cause of the problem is the loss of iptables rules in the FORWARD chain for the project namespace.

Normal condition:
"""
ip netns exec qrouter-ID iptables -L -n | grep -A 5 "Chain FORWARD"
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.10.0/24 10.9.9.0/24 policy match dir in pol ipsec reqid 1 proto 50
ACCEPT all -- 10.9.9.0/24 192.168.10.0/24 policy match dir out pol ipsec reqid 1 proto 50
neutron-filter-top all -- 0.0.0.0/0 0.0.0.0/0
neutron-l3-agent-FORWARD all -- 0.0.0.0/0 0.0.0.0/0
"""

Problem state:
"""
ip netns exec qrouter-ID iptables -L -n | grep -A 5 "Chain FORWARD"
Chain FORWARD (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- 0.0.0.0/0 0.0.0.0/0
neutron-l3-agent-FORWARD all -- 0.0.0.0/0 0.0.0.0/0
"""

How can I understand why the FORWARD rule disappears?

Installed software version:

dpkg -l | grep neutron
ii neutron-common 2:12.0.6-0ubuntu3~cloud0 all Neutron is a virtual network service for Openstack - common
ii neutron-dhcp-agent 2:12.0.6-0ubuntu3~cloud0 all Neutron is a virtual network service for Openstack - DHCP agent
ii neutron-l3-agent 2:12.0.6-0ubuntu3~cloud0 all Neutron is a virtual network service for Openstack - l3 agent
ii neutron-metadata-agent 2:12.0.6-0ubuntu3~cloud0 all Neutron is a virtual network service for Openstack - metadata agent
ii neutron-openvswitch-agent 2:12.0.6-0ubuntu3~cloud0 all Neutron is a virtual network service for Openstack - Open vSwitch plugin agent
ii python-neutron 2:12.0.6-0ubuntu3~cloud0 all Neutron is a virtual network service for Openstack - Python library
ii python-neutron-fwaas 1:12.0.1-0ubuntu1~cloud0 all Firewall-as-a-Service driver for OpenStack Neutron
ii python-neutron-lib 1.13.0-0ubuntu1~cloud0 all Neutron shared routines and utilities - Python 2.7
ii python-neutron-vpnaas 2:12.0.1-0ubuntu1~cloud0 all VPN-as-a-Service driver for OpenStack Neutron
ii python-neutronclient 1:6.7.0-0ubuntu1~cloud0 all client API library for Neutron - Python 2.7

Tags:

Revision history for this message

Lajos Katona (lajos-katona) wrote on 2019-10-29:

Could you please explain your exact test setup? Am I right that you used something like this setup:
https://opendev.org/openstack/neutron-vpnaas/src/tag/12.0.1/doc/source/devref/testing-with-devstack.rst#vpnaas-configuration ?

Revision history for this message

Dmytro Kostinov (dmikos) wrote on 2019-11-01:

It looks similar, but i use Openstack Dashboard (Horizon, neutron-vpnaas-dashboard plug-in) for creating VPN connection.

Revision history for this message

Dmytro Kostinov (dmikos) wrote on 2019-11-01:

My topology

Revision history for this message

Dmytro Kostinov (dmikos) wrote on 2019-11-01:

vpnaas-trouble-vpn-settings.txt Edit (14.2 KiB, text/plain)

The
- openstack vpn ike policy show
- openstack vpn ipsec policy show
- openstack vpn service show
- openstack vpn endpoint group show
- openstack vpn ipsec site connection show
commands output in attached file