I did reproduce the issue as written just before ... and attached all the DEBUG logs of the neutron daemons (control plane and compute/network nodes)...
My steps where:
1) Create two projects "vpndebug1" and "vpndebug2" ...
2) Run the terraform code to set everything up, resulting in two routers:
3) Validate connectivity between VMs / instances
4) Trigger backup/master switches of the keepalived for the Neutron routers.
5) Monitor connectivity via the IPSEC VPN failing - one side reports "DOWN" via the API, the other doesn't.
In the logs there were not errors or warnings (yet), but I observed that only "ipsec status" was called, no other ipsec related commands were run.
Without doing any more switch-overs of the router I then toggled the "ipsec connection" and also the "ipsec service" itself via "set --disable", "set --enable" and at some point "ipsec start" and e.g. "ipsec stroke up-nb 2c446a92-0113-4418-b066-931a2afb58fd" was then called on the active router and the connection came backup / was healthy again.
Together with this I also observed the reporting of duplicate iptables.
I did reproduce the issue as written just before ... and attached all the DEBUG logs of the neutron daemons (control plane and compute/network nodes)...
My steps where:
1) Create two projects "vpndebug1" and "vpndebug2" ...
2) Run the terraform code to set everything up, resulting in two routers:
vpndebug1-gateway ef8664da- 5a53-467a- ad40-1a99ccc2d8 17 9d4c-4a3a- 9ead-0d66624142 db
vpndebug2-gateway d969ffea-
3) Validate connectivity between VMs / instances
4) Trigger backup/master switches of the keepalived for the Neutron routers.
5) Monitor connectivity via the IPSEC VPN failing - one side reports "DOWN" via the API, the other doesn't.
In the logs there were not errors or warnings (yet), but I observed that only "ipsec status" was called, no other ipsec related commands were run.
Without doing any more switch-overs of the router I then toggled the "ipsec connection" and also the "ipsec service" itself via "set --disable", "set --enable" and at some point "ipsec start" and e.g. "ipsec stroke up-nb 2c446a92- 0113-4418- b066-931a2afb58 fd" was then called on the active router and the connection came backup / was healthy again.
Together with this I also observed the reporting of duplicate iptables.