Neutron-VPNaaS: vpn service on ovn-vpnaas is hanging in PENDING_CREATE

Bug #2078845 reported by Max Harmathy
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
New
Undecided
Unassigned

Bug Description

Description
-----------

Using the ovn-vpnaas service plugin from neutron-vpnaas after creating the VPN
service, it hangs in state PENDING_CREATE. The neutron log contains a stacktrace
with the message:

    ovsdbapp.backend.ovs_idl.idlutils.RowNotFound: Cannot find Logical_Router_Port with name=lrp-658529de-f9c1-4f09-8780-1e576853e601

Pre-conditions
--------------

The issue was encountered on a testbed cluster, but is also reproducible with
devstack on a single computer.

The devstack machine is running on Debian bookworm and has two NICs, one of
which is solely used for OpenStack networking. (The devstack on this machine is
otherwise functional and served multiple times as test environment.)

Step-by-step reproduction steps
-------------------------------

#. Clone the devstack repostory and checkout 2024.1:

    git clone -b stable/2014.1 https://opendev.org/openstack/devstack.git

#. Provide local.conf as suggestet in the neutron-vpnaas repository [1] and then
   in the devstack directory:

    ./stack.sh

#. Follow the instructions for VPNaaS [2]:

    openstack vpn ike policy create ikepolicy
    openstack vpn ipsec policy create ipsecpolicy
    openstack vpn service create vpn --router router1

#. Observe in the neutron log the above error (see attachment)

    journalctl --boot 0 --identifier neutron-server

#. Check the vpn service

    openstack vpn service show vpn

[1] https://opendev.org/openstack/neutron-vpnaas/src/branch/master/devstack/ovn-local.conf.sample
[2] https://docs.openstack.org/neutron/latest/admin/vpnaas-scenario.html#using-vpnaas-with-endpoint-group-recommended

Expected output
---------------

Status CREATED or ACTIVE for the vpn service.

Actual output
-------------

Status PENDING_CREATE

Versions
--------

- OS: Debian bookworm (Linux 6.1.106)
- Devstack 2024.1
- Openstackclient: 6.6.0

Perceived severity
------------------

Blocker for using VPNaaS on OVN

Tags: ovn vpnaas
Revision history for this message
Max Harmathy (max-harmathy) wrote :
tags: added: ovn
Revision history for this message
Bodo Petermann (bpetermann) wrote :

The state of the vpn service stays in PENDING_CREATE until you create an ipsec site connection.
Could you check if the state changes after creating one?

I didn't see the "Cannot find Logical_Router_Port" exceptions in our vpnaas/ovn setup. At this point I'm not sure if that points to some problem or not. I will have to reproduce it.

Revision history for this message
Bodo Petermann (bpetermann) wrote :

I ran a devstack with 2024.1 now and yes, the fresh vpn service will stay in state PENDING_CREATE. But if you add a site connection it will become ACTIVE.
Apart from the misleading "PENDING_CREATE" in the beginning the rest of the setup works.

Then there's the exception "Cannot find Logical_Router_Port". That does not seem to break the VPN setup though. I do see those exceptions in my devstack's q-svc journal and will have a look. So far I only found the exceptions for router ports per subnet (usually the x.x.x.1 address). It might not be related to vpnaas.

Revision history for this message
Bodo Petermann (bpetermann) wrote :

The "Cannot find Logical_Router_Port" exception is logged when you add a subnet to a router, unrelated to vpnaas, e.g. with the following steps

openstack router create routername
openstack network create networkname
openstack subnet create subnetname --network networkname --subnet-range 192.168.22.0/24
openstack router add subnet routername subnetname

Internally during the creation of a vpn service the ovn variant of the plugin will create some transit network and subnet and add it to the router. That's when the exception is logged for an internal port with IP 169.254.0.1.
As mentioned earlier, this exception doesn't break the vpn setup.

Revision history for this message
Lajos Katona (lajos-katona) wrote (last edit ):

Thanks Bodo for investigating this report.
@max-harmathy could you please confirm that the answer is acceptable for your case/issue?

Revision history for this message
Max Harmathy (max-harmathy) wrote :

@lajos-katona I'll have a look into it!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.