neutron

Bug #1943449
Comment #9

Comment 9 for bug 1943449

Revision history for this message

Christian Rohmann (christian-rohmann) wrote on 2022-10-17: Re: VPNaaS reconfiguration creates duplicate IPtables rules causes the VPN connection to remain DOWN

Logs of all Neutron daemons during setup and reprouction of the issue Edit (3.9 MiB, application/x-tar)

I did reproduce the issue as written just before ... and attached all the DEBUG logs of the neutron daemons (control plane and compute/network nodes)...

My steps where:

1) Create two projects "vpndebug1" and "vpndebug2" ...
2) Run the terraform code to set everything up, resulting in two routers:

vpndebug1-gateway ef8664da-5a53-467a-ad40-1a99ccc2d817
vpndebug2-gateway d969ffea-9d4c-4a3a-9ead-0d66624142db

3) Validate connectivity between VMs / instances
4) Trigger backup/master switches of the keepalived for the Neutron routers.
5) Monitor connectivity via the IPSEC VPN failing - one side reports "DOWN" via the API, the other doesn't.

In the logs there were not errors or warnings (yet), but I observed that only "ipsec status" was called, no other ipsec related commands were run.

Without doing any more switch-overs of the router I then toggled the "ipsec connection" and also the "ipsec service" itself via "set --disable", "set --enable" and at some point "ipsec start" and e.g. "ipsec stroke up-nb 2c446a92-0113-4418-b066-931a2afb58fd" was then called on the active router and the connection came backup / was healthy again.

Together with this I also observed the reporting of duplicate iptables.