Return-Path: X-Original-To: apmail-incubator-cloudstack-dev-archive@minotaur.apache.org Delivered-To: apmail-incubator-cloudstack-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 282B1EED1 for ; Thu, 17 Jan 2013 19:06:26 +0000 (UTC) Received: (qmail 30345 invoked by uid 500); 17 Jan 2013 19:06:25 -0000 Delivered-To: apmail-incubator-cloudstack-dev-archive@incubator.apache.org Received: (qmail 30302 invoked by uid 500); 17 Jan 2013 19:06:25 -0000 Mailing-List: contact cloudstack-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: cloudstack-dev@incubator.apache.org Delivered-To: mailing list cloudstack-dev@incubator.apache.org Received: (qmail 30250 invoked by uid 99); 17 Jan 2013 19:06:25 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 17 Jan 2013 19:06:25 +0000 Date: Thu, 17 Jan 2013 19:06:25 +0000 (UTC) From: "Marcus Sorensen (JIRA)" To: cloudstack-dev@incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Comment Edited] (CLOUDSTACK-938) s2s VPN trouble MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CLOUDSTACK-938?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13556451#comment-13556451 ] Marcus Sorensen edited comment on CLOUDSTACK-938 at 1/17/13 7:06 PM: --------------------------------------------------------------------- Someone could try pulling commit b77503b5bd001d1038bb4cd79c04db7ca993e94e into a local 4.0 branch and testing if they've already got an environment set up to do so. I'll try to figure one out in the mean time but I may not get to it right away. That commit only changes ipsectunnel to ipsectunnel.sh. As far as the rp_filter, it looks a bit hairy. The script that sets up the rp_filter is simple, it just says that anything that is not eth0 or eth1 is a public interface, which is flawed, but works for the standard VR. The reason why it looks like it does in Abihnav's test is that the VPC router only starts with eth0 and eth1, then adds a nic for each isolated network afterward, so no nic is marked public, because there is no interface on boot that is not an eth0 or eth1. The regular isolated router, however, starts up with eth0,1,and 2, being isolated, command, and public. The fix I think is to avoid this rp_filter disable code altogether in the VPC router setting rp_filter to off globally, and enable rp_filter when the isolated nics are added via vpc_guestnw.sh I don't think the rp_filter issue is causing any immediate problems we have seen thus far, but it does need to be adjusted for VPC routers. This isn't KVM specific. It's in cloud_early_config on the system vm. was (Author: mlsorensen): Someone could try pulling commit b77503b5bd001d1038bb4cd79c04db7ca993e94e into a local 4.0 branch and testing if they've already got an environment set up to do so. I'll try to figure one out in the mean time but I may not get to it right away. That commit only changes ipsectunnel to ipsectunnel.sh. As far as the rp_filter, it looks a bit hairy. The script that sets up the rp_filter is simple, it just says that anything that is not eth0 or eth1 is a public interface, which is flawed. The reason why it looks like it does in Abihnav's test is that the VPC router only starts with eth0 and eth1, then adds a nic for each isolated network afterward, so no rp_filter is set on anything, because there is no interface on boot that is not an eth0 or eth1. The regular isolated router, however, starts up with eth0,1,and 2, being isolated, command, and public. I don't think the rp_filter issue is causing any immediate problems we have seen thus far, but it does need to be adjusted for VPC routers. This isn't KVM specific. It's in cloud_early_config on the system vm. > s2s VPN trouble > --------------- > > Key: CLOUDSTACK-938 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-938 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the default.) > Components: Network Controller > Affects Versions: 4.0.0, 4.0.1 > Environment: CentOS 6.3 x86_64 > CS - 4.0.1-0.11 > Reporter: Richard Shevel > Fix For: 4.0.2, 4.1.0 > > Attachments: after_restart_VPC.zip, auth.log, catalina.zip, management-server_afer_upgrade2.zip, management-server_after_upgrade.zip, management-server.zip, messages, r-292-vm_log.tar.gz > > > Dear colleagues, the problem is clearly a bug: > I created a VPC > Further, in my VPN Customer Gateway to the settings > Gateway 217.70.20.213 > CIDR list 192.168.10.0/24 > IPsec Preshared-Key blablablablablabla > IKE Encryption 3des > IKE Hash md5 > IKE DH None > ESP Encryption 3des > ESP Hash md5 > Perfect Forward Secrecy None > IKE lifetime (second) 86 400 > ESP Lifetime (second) 28 800 > Dead Peer Detection Yes > In the setting of VPC I create VPN Gateway > When creating a VPN Connection get the error: > Resource [Site2SiteVpnConnection:15] is unreachable: Failed to apply site-to-site VPN > catalina.out: > WARN [cloud.api.ApiDispatcher] (Job-Executor-11:job-463) class com.cloud.api.ServerApiException : Resource [Site2SiteVpnConnection:15] is unreachable: Failed to apply site-to-site VPN > WARN [cloud.async.AsyncJobManagerImpl] (Job-Executor-11:job-463) Unable to unregister active job 463 from JMX monitoring > WARN [network.router.VirtualNetworkApplianceManagerImpl] (RouterStatusMonitor-1:) Unable to update router r-288-VM's VPN connection status > WARN [network.router.VirtualNetworkApplianceManagerImpl] (RouterStatusMonitor-1:) Unable to update router r-288-VM's VPN connection status > WARN [network.router.VirtualNetworkApplianceManagerImpl] (RouterStatusMonitor-1:) Unable to update router r-288-VM's VPN connection status > WARN [network.router.VirtualNetworkApplianceManagerImpl] (RouterStatusMonitor-1:) Unable to update router r-288-VM's VPN connection status > WARN [network.router.VirtualNetworkApplianceManagerImpl] (RouterStatusMonitor-1:) Unable to update router r-288-VM's VPN connection status > management-server.log: > 2013-01-09 21:27:54,587 DEBUG [agent.manager.AgentManagerImpl] (AgentManager-Handler-4:null) Ping from 5 > 2013-01-09 21:27:54,623 DEBUG [agent.manager.AgentManagerImpl] (AgentManager-Handler-2:null) Ping from 3 > 2013-01-09 21:28:17,546 DEBUG [storage.secondary.SecondaryStorageManagerImpl] (secstorage-1:null) Zone 1 is ready to launch secondary storage VM > 2013-01-09 21:28:17,656 DEBUG [cloud.consoleproxy.ConsoleProxyManagerImpl] (consoleproxy-1:null) Zone 1 is ready to launch console proxy > 2013-01-09 21:28:18,306 DEBUG [network.router.VirtualNetworkApplianceManagerImpl] (RouterStatusMonitor-1:null) Found 3 routers. > 2013-01-09 21:28:18,316 DEBUG [agent.transport.Request] (RouterStatusMonitor-1:null) Seq 5-223284290: Sending { Cmd , MgmtId: 52239887788, via: 5, Ver: v1, Flags: 100111, [{"CheckS2SVpnConnectionsCommand":{"vpnIps":[],"accessDetails":{"router.ip":"169.254.1.232","router.name":"r-288-VM"},"wait":30}}] } > 2013-01-09 21:28:18,458 DEBUG [agent.transport.Request] (AgentManager-Handler-3:null) Seq 5-223284290: Processing: { Ans: , MgmtId: 52239887788, via: 5, Ver: v1, Flags: 110, [{"CheckS2SVpnConnectionsAnswer":{"ipToConnected":{},"ipToDetail":{},"details":"CheckS2SVpnConneciontsCommand failed","result":false,"wait":0}}] } > 2013-01-09 21:28:18,458 DEBUG [agent.manager.AgentAttache] (AgentManager-Handler-3:null) Seq 5-223284290: No more commands found > 2013-01-09 21:28:18,458 DEBUG [agent.transport.Request] (RouterStatusMonitor-1:null) Seq 5-223284290: Received: { Ans: , MgmtId: 52239887788, via: 5, Ver: v1, Flags: 110, { CheckS2SVpnConnectionsAnswer } } > 2013-01-09 21:28:18,458 DEBUG [agent.manager.AgentManagerImpl] (RouterStatusMonitor-1:null) Details from executing class com.cloud.agent.api.CheckS2SVpnConnectionsCommand: CheckS2SVpnConneciontsCommand failed > 2013-01-09 21:28:18,458 WARN [network.router.VirtualNetworkApplianceManagerImpl] (RouterStatusMonitor-1:null) Unable to update router r-288-VM's VPN connection status > 2013-01-09 21:28:43,063 DEBUG [cloud.server.StatsCollector] (StatsCollector-2:null) StorageCollector is running... > 2013-01-09 21:28:43,117 DEBUG [agent.transport.Request] (StatsCollector-2:null) Seq 17-292881626: Received: { Ans: , MgmtId: 52239887788, via: 17, Ver: v1, Flags: 10, { GetStorageStatsAnswer } } > 2013-01-09 21:28:45,185 DEBUG [agent.transport.Request] (StatsCollector-2:null) Seq 3-1166872144: Received: { Ans: , MgmtId: 52239887788, via: 3, Ver: v1, Flags: 10, { GetStorageStatsAnswer } } > 2013-01-09 21:28:47,545 DEBUG [storage.secondary.SecondaryStorageManagerImpl] (secstorage-1:null) Zone 1 is ready to launch secondary storage VM > 2013-01-09 21:28:47,655 DEBUG [cloud.consoleproxy.ConsoleProxyManagerImpl] (consoleproxy-1:null) Zone 1 is ready to launch console proxy > 2013-01-09 21:28:48,305 DEBUG [network.router.VirtualNetworkApplianceManagerImpl] (RouterStatusMonitor-1:null) Found 3 routers. > 2013-01-09 21:28:48,328 DEBUG [agent.transport.Request] (RouterStatusMonitor-1:null) Seq 5-223284291: Sending { Cmd , MgmtId: 52239887788, via: 5, Ver: v1, Flags: 100111, [{"CheckS2SVpnConnectionsCommand":{"vpnIps":[],"accessDetails":{"router.ip":"169.254.1.232","router.name":"r-288-VM"},"wait":30}}] } > 2013-01-09 21:28:48,430 DEBUG [agent.transport.Request] (AgentManager-Handler-9:null) Seq 5-223284291: Processing: { Ans: , MgmtId: 52239887788, via: 5, Ver: v1, Flags: 110, [{"CheckS2SVpnConnectionsAnswer":{"ipToConnected":{},"ipToDetail":{},"details":"CheckS2SVpnConneciontsCommand failed","result":false,"wait":0}}] } > 2013-01-09 21:28:48,430 DEBUG [agent.manager.AgentAttache] (AgentManager-Handler-9:null) Seq 5-223284291: No more commands found > 2013-01-09 21:28:48,430 DEBUG [agent.transport.Request] (RouterStatusMonitor-1:null) Seq 5-223284291: Received: { Ans: , MgmtId: 52239887788, via: 5, Ver: v1, Flags: 110, { CheckS2SVpnConnectionsAnswer } } > 2013-01-09 21:28:48,430 DEBUG [agent.manager.AgentManagerImpl] (RouterStatusMonitor-1:null) Details from executing class com.cloud.agent.api.CheckS2SVpnConnectionsCommand: CheckS2SVpnConneciontsCommand failed > 2013-01-09 21:28:48,430 WARN [network.router.VirtualNetworkApplianceManagerImpl] (RouterStatusMonitor-1:null) Unable to update router r-288-VM's VPN connection status > 2013-01-09 21:28:49,298 DEBUG [agent.manager.AgentManagerImpl] (AgentManager-Handler-7:null) Ping from 11 > 2013-01-09 21:28:49,299 DEBUG [agent.manager.AgentManagerImpl] (AgentManager-Handler-6:null) Ping from 17 > 2013-01-09 21:28:51,594 DEBUG [cloud.server.StatsCollector] (StatsCollector-3:null) HostStatsCollector is running... -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira