neutron

vpn services / vpn connections are stuck in PENDING CREATE

Bug #1943716 reported by Olivier Chaze on 2021-09-15

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	New	Undecided	Unassigned

Bug Description

* vpn services / vpn connections are stuck in PENDING CREATE

* Version :
Debian 11 Bullseye
OpenStack v17 Victoria

The reason seems to be oslo messages sent to the exchange 'neutron' topic 'ipsec_driver' that never get replied. The VPN setup is therefore never achieved and vpn services / vpn connections are stuck in PENDING CREATE.

Here an example of oslo message that never got replied :

2021-09-15 08:33:01.868 3658566 DEBUG oslo_messaging._drivers.amqpdriver [-] CALL msg_id: 7888792c39e34204a9508930ec2f3979 exchange 'neutron' topic 'ipsec_driver' transport_options 'None' msg '{'oslo.version': '2.0', 'oslo.message': '{"method": "get_vpn_services_on_host", "args": {"host": "preprod-network-2.cloud.infomaniak.ch"}, "version": "1.0", "_msg_id": "7888792c39e34204a9508930ec2f3979", "_reply_q": "reply_ee89bc4fe4774fa39094afcdc5acc40a", "_timeout": null, "_unique_id": "45f40fb9b5424f52becd2714f38f30a4", "_context_user": null, "_context_tenant": null, "_context_system_scope": null, "_context_project": null, "_context_domain": null, "_context_user_domain": null, "_context_project_domain": null, "_context_is_admin": true, "_context_read_only": false, "_context_show_deleted": false, "_context_auth_token": null, "_context_request_id": "req-f17a0988-5dd0-4bef-9d3f-deef96decb78", "_context_global_request_id": null, "_context_resource_uuid": null, "_context_roles": [], "_context_user_identity": "- - - - -", "_context_is_admin_project": true, "_context_user_id": null, "_context_tenant_id": null, "_context_project_id": null, "_context_timestamp": "2021-09-15 08:32:40.958399", "_context_tenant_name": null, "_context_project_name": null, "_context_user_name": null}'}' _send /usr/lib/python3/dist-packages/oslo_messaging/_drivers/amqpdriver.py:664

It could be related to the way the consumers are defined for the IPSEC_DRIVER_TOPIC (ipsec_driver), I changed the topic from ipsec_driver to ipsec_agent I got replies for each message afterwards and the connection is properly done.

/usr/lib/python3/dist-packages/neutron_vpnaas/services/vpn/common/topics.py
-IPSEC_DRIVER_TOPIC = 'ipsec_driver'
+IPSEC_DRIVER_TOPIC = 'ipsec_agent'
IPSEC_AGENT_TOPIC = 'ipsec_agent'
2021-09-15 11:58:25.885 347184 DEBUG oslo_messaging._drivers.amqpdriver [-] CALL msg_id: 24527a07899145e7b845b67b17bf4d62 exchange 'neutron' topic 'ipsec_agent' _send /usr/lib/python3/dist-packages/oslo_messaging/_drivers/amqpdriver.py:662
2021-09-15 11:58:25.928 347184 DEBUG oslo_messaging._drivers.amqpdriver [-] received reply msg_id: 24527a07899145e7b845b67b17bf4d62 __call__ /usr/lib/python3/dist-packages/oslo_messaging/_drivers/amqpdriver.py:508

With additional logs :

2021-09-15 11:58:25.885 347184 DEBUG oslo_messaging._drivers.amqpdriver [-] OCHAZE CALL msg_id: 24527a07899145e7b845b67b17bf4d62 exchange 'neutron' topic 'ipsec_agent' transport_options 'None' msg '{'oslo.version': '2.0', 'oslo.message': '{"method": "get_vpn_services_on_host", "args": {"host": "preprod-network-2.cloud.infomaniak.ch"}, "version": "1.0", "_msg_id": "24527a07899145e7b845b67b17bf4d62", "_reply_q": "reply_348f3dc32ceb4fe0a45152a85e7ab5eb", "_timeout": null, "_unique_id": "fcb476cffa2240dca21d73c855d1cd35", "_context_user": null, "_context_tenant": null, "_context_system_scope": null, "_context_project": null, "_context_domain": null, "_context_user_domain": null, "_context_project_domain": null, "_context_is_admin": true, "_context_read_only": false, "_context_show_deleted": false, "_context_auth_token": null, "_context_request_id": "req-7d4f1d2e-c967-437e-bdfd-913240a7175d", "_context_global_request_id": null, "_context_resource_uuid": null, "_context_roles": [], "_context_user_identity": "- - - - -", "_context_is_admin_project": true, "_context_user_id": null, "_context_tenant_id": null, "_context_project_id": null, "_context_timestamp": "2021-09-15 11:57:56.599749", "_context_tenant_name": null, "_context_project_name": null, "_context_user_name": null}'}' _send /usr/lib/python3/dist-packages/oslo_messaging/_drivers/amqpdriver.py:665
2021-09-15 11:58:25.928 347184 DEBUG oslo_messaging._drivers.amqpdriver [-] OCHAZE received reply msg_id: 24527a07899145e7b845b67b17bf4d62 - msg {'result': [{'project_id': 'cd5c71b23e9e49faa88e5a0a5b58091c', 'id': '3598acb9-ff44-4dc4-aafc-2cb3f14f6aed', 'name': 'right-vpn', 'description': '', 'status': 'PENDING_CREATE', 'admin_state_up': True, 'external_v4_ip': '128.65.194.72', 'external_v6_ip': None, 'subnet_id': None, 'router_id': '4ad3da29-647b-4133-9f31-933e31c82b1f', 'flavor_id': None, 'tenant_id': 'cd5c71b23e9e49faa88e5a0a5b58091c', 'ipsec_site_connections': [{'project_id': 'cd5c71b23e9e49faa88e5a0a5b58091c', 'id': '903666c9-a079-4dd6-a578-47f454eec883', 'name': 'right-to-left', 'description': '', 'peer_address': '128.65.194.71', 'peer_id': '128.65.194.71', 'local_id': '', 'route_mode': 'static', 'mtu': 1500, 'initiator': 'bi-directional', 'auth_mode': 'psk', 'psk': 'a_strong_secret', 'dpd_action': 'hold', 'dpd_interval': 30, 'dpd_timeout': 120, 'status': 'PENDING_CREATE', 'admin_state_up': True, 'vpnservice_id': '3598acb9-ff44-4dc4-aafc-2cb3f14f6aed', 'ipsecpolicy_id': 'c2d2a3fb-3689-4999-a034-8536cc663873', 'ikepolicy_id': 'ebd691ae-8050-4b34-bb43-48c9571d2ff2', 'local_ep_group_id': '4bb42dfc-72b7-4e20-bc5d-9f52f29093e6', 'peer_ep_group_id': '1ef66fb8-8420-44e0-855f-07b7a0d026bf', 'peer_cidrs': ['10.0.0.0/24'], 'ikepolicy': {'project_id': 'cd5c71b23e9e49faa88e5a0a5b58091c', 'id': 'ebd691ae-8050-4b34-bb43-48c9571d2ff2', 'name': 'ikepolicy', 'description': '', 'auth_algorithm': 'sha256', 'encryption_algorithm': 'aes-256', 'phase1_negotiation_mode': 'main', 'lifetime_units': 'seconds', 'lifetime_value': 3600, 'ike_version': 'v2', 'pfs': 'group5'}, 'ipsecpolicy': {'project_id': 'cd5c71b23e9e49faa88e5a0a5b58091c', 'id': 'c2d2a3fb-3689-4999-a034-8536cc663873', 'name': 'ipsecpolicy', 'description': '', 'transform_protocol': 'esp', 'auth_algorithm': 'sha256', 'encryption_algorithm': 'aes-256', 'encapsulation_mode': 'tunnel', 'lifetime_units': 'seconds', 'lifetime_value': 3600, 'pfs': 'group5'}, 'local_cidrs': ['192.168.0.0/24'], 'local_ip_vers': 4, 'external_ip': '128.65.194.72'}], 'subnet': {'cidr': '192.168.0.0/24'}, 'external_ip': '128.65.194.72'}, {'project_id': 'cd5c71b23e9e49faa88e5a0a5b58091c', 'id': 'd8a81686-f1fa-4940-a324-5735e061210a', 'name': 'left-vpn', 'description': '', 'status': 'PENDING_CREATE', 'admin_state_up': True, 'external_v4_ip': '128.65.194.71', 'external_v6_ip': None, 'subnet_id': None, 'router_id': 'b5c483c6-b615-4f81-811d-b2dc1f0935c3', 'flavor_id': None, 'tenant_id': 'cd5c71b23e9e49faa88e5a0a5b58091c', 'ipsec_site_connections': [{'project_id': 'cd5c71b23e9e49faa88e5a0a5b58091c', 'id': '60450152-a6bc-49fa-8919-167cc0ac2f8e', 'name': 'left-to-right', 'description': '', 'peer_address': '128.65.194.72', 'peer_id': '128.65.194.72', 'local_id': '', 'route_mode': 'static', 'mtu': 1500, 'initiator': 'bi-directional', 'auth_mode': 'psk', 'psk': 'a_strong_secret', 'dpd_action': 'hold', 'dpd_interval': 30, 'dpd_timeout': 120, 'status': 'PENDING_CREATE', 'admin_state_up': True, 'vpnservice_id': 'd8a81686-f1fa-4940-a324-5735e061210a', 'ipsecpolicy_id': 'c2d2a3fb-3689-4999-a034-8536cc663873', 'ikepolicy_id': 'ebd691ae-8050-4b34-bb43-48c9571d2ff2', 'local_ep_group_id': 'e7059dc2-721b-4849-b00e-d0b534e77ec9', 'peer_ep_group_id': '54b10d8f-f225-46e3-b8e2-29cf61b41c01', 'peer_cidrs': ['192.168.0.0/24'], 'ikepolicy': {'project_id': 'cd5c71b23e9e49faa88e5a0a5b58091c', 'id': 'ebd691ae-8050-4b34-bb43-48c9571d2ff2', 'name': 'ikepolicy', 'description': '', 'auth_algorithm': 'sha256', 'encryption_algorithm': 'aes-256', 'phase1_negotiation_mode': 'main', 'lifetime_units': 'seconds', 'lifetime_value': 3600, 'ike_version': 'v2', 'pfs': 'group5'}, 'ipsecpolicy': {'project_id': 'cd5c71b23e9e49faa88e5a0a5b58091c', 'id': 'c2d2a3fb-3689-4999-a034-8536cc663873', 'name': 'ipsecpolicy', 'description': '', 'transform_protocol': 'esp', 'auth_algorithm': 'sha256', 'encryption_algorithm': 'aes-256', 'encapsulation_mode': 'tunnel', 'lifetime_units': 'seconds', 'lifetime_value': 3600, 'pfs': 'group5'}, 'local_cidrs': ['10.0.0.0/24'], 'local_ip_vers': 4, 'external_ip': '128.65.194.71'}], 'subnet': {'cidr': '10.0.0.0/24'}, 'external_ip': '128.65.194.71'}], 'failure': None, 'ending': True, '_unique_id': 'fda9aa1916434643a64d406e60a85a35'} __call__ /usr/lib/python3/dist-packages/oslo_messaging/_drivers/amqpdriver.py:509

* SETUP

* network-nodes:

neutron.conf

service_plugins=router,metering,qos,trunk,vpnaas
l3_agent.ini

[DEFAULT]
ovs_use_veth = False
interface_driver = openvswitch
agent_mode=dvr_snat
debug=True

[agent]
extensions = vpnaas

[vpnagent]
vpn_device_driver=neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver

* controller-nodes:

neutron.conf

service_plugins=router,metering,qos,trunk,segments,bgp,vpnaas
neutron_vpnaas.conf

[service_providers]
service_provider = VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default

After the topic name change, VPN services is created succesfully :

Tags:

Lajos Katona (lajos-katona) on 2021-09-16

tags:

added: vpnaas

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.