Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 39E5B200C60 for ; Mon, 24 Apr 2017 22:28:46 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 387C7160B99; Mon, 24 Apr 2017 20:28:46 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 59AC3160B93 for ; Mon, 24 Apr 2017 22:28:45 +0200 (CEST) Received: (qmail 78884 invoked by uid 500); 24 Apr 2017 20:28:39 -0000 Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list dev@cloudstack.apache.org Received: (qmail 78872 invoked by uid 99); 24 Apr 2017 20:28:39 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 24 Apr 2017 20:28:39 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id CA755C06D2 for ; Mon, 24 Apr 2017 20:28:38 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.99 X-Spam-Level: * X-Spam-Status: No, score=1.99 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id MIy8RxSlxdDi for ; Mon, 24 Apr 2017 20:28:35 +0000 (UTC) Received: from mail-oi0-f46.google.com (mail-oi0-f46.google.com [209.85.218.46]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 50AC75FB96 for ; Mon, 24 Apr 2017 20:28:35 +0000 (UTC) Received: by mail-oi0-f46.google.com with SMTP id y11so117099880oie.0 for ; Mon, 24 Apr 2017 13:28:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to; bh=Mh43kBjctGzScj/qHyqgVGhuhid8S/mDg88E/1EdOnc=; b=E4uTaRjNOiXIAfWfc1ZsFuBuDsIsj2fXOiGBXf9TPkbGnrc5V9fKr1r8PpIiMFDteI alzykVwGHXbbZ5bGGWRVMdNdE9f1/xh1cv/s6Vj0omiOci1s9nt1mwVDa98Blz8S8WG7 mkIsG+J2NeyHtiF9ChFEAY0yNGtLXTloYHqj9Wvhnb4oWOHbrsVc196N+PB8qhum2nP7 57CNWmNUGyR6SXsVOuiSKNLgiBpEMa8F8tgwVHkog6AHmNAA/V/lp62rTdha6Il5WCSL azxdU+FVuQVm3AmmVek5ZBcAyNJEI7x9oWllpY+KllkAKiQ26TkWP5tzdQ44eSHqw/+u PW7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to; bh=Mh43kBjctGzScj/qHyqgVGhuhid8S/mDg88E/1EdOnc=; b=DjTkBLo8D82oGfZyqin129FWm/xlQN+Ki6mouE+h4XPmXdv8PVnm0AU8WFTIXRBEeY /gUjbNqnhLsbf8SXFQr3E/m90LOC/cjwiObQJ9YZhNZbclGFM+hcbOH764KS2p/suPUm l3xksezHvs2aYGuDiY0e46yygYWWWYIEzMaSM1kwW2jVHzSGSGzTofdUEsY43HKEkm38 G5GGXgm3QarBSFBERzNF2LvnEurP35zw8k5GuZQyappyEVb40Kzi8vvifCdrb6e2Eyon f4ZWWbBYkQ72a5IdypApsJ8FiIt7KviEtsl6SCkwzlObAonkONrdCI0h2FBfHrKT9LP4 Pr0w== X-Gm-Message-State: AN3rC/7ytT87r5gkpupSmvhsGLMtH84hp4XEuXnoEZoaUqfSjSoE9xMh Tx/0A7paXo1y+zFVUgdbE4gpiAiaPQ== X-Received: by 10.202.48.205 with SMTP id w196mr14315630oiw.91.1493065714530; Mon, 24 Apr 2017 13:28:34 -0700 (PDT) MIME-Version: 1.0 Sender: williamstevens@gmail.com Received: by 10.182.245.72 with HTTP; Mon, 24 Apr 2017 13:28:34 -0700 (PDT) In-Reply-To: References: <61D5D0F0-3D9D-4CE1-BBAB-C19F871759A7@schubergphilis.com> From: Will Stevens Date: Mon, 24 Apr 2017 16:28:34 -0400 X-Google-Sender-Auth: 27YWjLgtIGamzRFw40RrhcS0UP4 Message-ID: Subject: Re: [4.10] VPN disconnected while network changes taken To: "dev@cloudstack.apache.org" Content-Type: multipart/alternative; boundary=001a113ce4128a803d054def7306 archived-at: Mon, 24 Apr 2017 20:28:46 -0000 --001a113ce4128a803d054def7306 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Fair enough. Well you will have a fix if people start to complain. :P *Will STEVENS* Lead Developer On Mon, Apr 24, 2017 at 4:21 PM, Remi Bergsma wrote: > I dont think the remote access feature is used a lot in our deploys, so I > would assume it has the same issue. We mainly use s2s. > > Regards, Remi > ________________________________ > From: Will Stevens > Sent: Monday, April 24, 2017 8:00:25 PM > To: dev@cloudstack.apache.org > Subject: Re: [4.10] VPN disconnected while network changes taken > > @remi, judging from your configure.py, I am assuming that any network > change, like adding a PF rule, will drop the Remote Access VPN connection > as well. Is that the case? Or am I missing something? > > On Mon, Apr 24, 2017 at 1:49 PM, Will Stevens > wrote: > > > I am trying to find a way to remove this explicit down and still be abl= e > > to keep the VPN connection up. > > > > https://github.com/apache/cloudstack/blob/master/ > systemvm/patches/debian/ > > config/opt/cloud/bin/configure.py#L638 > > > > On Mon, Apr 24, 2017 at 1:41 PM, Will Stevens > > wrote: > > > >> @remi yes, I think you are right that we should change that for the > >> site2site config. I will check that after. > >> > >> The issue referred to in this thread is in reference to the remote > access > >> VPN dropping when other networking is configured. > >> > >> In this case it is not a mystery why it is going down since we actuall= y > >> call a down on it when it gets reconfigured. I have been trying to get > it > >> to handle network config changes without taking down the VPN. > >> > >> I have obviously removed the explicit down and am trying to find a > >> working configuration, but when xl2tpd is stopped, it goes down hard a= nd > >> when it comes back up it can't find the same tunnel, so the tunnel is > >> dropped. > >> > >> I will review your config to see how you are handling this. > >> > >> Thanks for the support. > >> > >> On Apr 24, 2017 1:02 PM, "Remi Bergsma" > >> wrote: > >> > >>> Hi all, > >>> > >>> While I haven=E2=80=99t investigated this issue, it does sound simila= r to what > I > >>> fixed in Cosmic (our fork) last month. > >>> > >>> This code does a down/up of the VPN connection: > >>> https://github.com/apache/cloudstack/blob/master/systemvm/pa > >>> tches/debian/config/opt/cloud/bin/configure.py#L547-L548 > >>> > >>> We found that to be impacting. Since we have auto=3Dstart in the conf= ig > >>> file already, we only have to reload the config and ipsec will take > care of > >>> the rest on its own. Fast & easy! Most of all, no more unneeded > restarts. > >>> > >>> Simply put: just remove the stop/start lines as it is not needed. > >>> The code is also hit when non-VPN changes are made, so that=E2=80=99s= probably > >>> why people report that another change causes it to disconnect. > >>> > >>> This is how we fixed it: > >>> https://github.com/MissionCriticalCloud/cosmic/pull/339/comm > >>> its/5ee5e70894a321f4d633c836e0bacef481b2b9af > >>> > >>> Hope this gives some inspiration and a possible solution. > >>> > >>> Regards, Remi > >>> > >>> > >>> > >>> On 24/04/2017, 17:50, "williamstevens@gmail.com on behalf of Will > >>> Stevens" > >>> wrote: > >>> > >>> Working on it now, I will let you know when I have a fix. > >>> > >>> *Will STEVENS* > >>> Lead Developer > >>> > >>> > >>> > >>> On Mon, Apr 24, 2017 at 11:34 AM, Haijiao <18602198181@163.com> > >>> wrote: > >>> > >>> > Hi Will > >>> > > >>> > Any progress about this issue ? > >>> > > >>> > tks > >>> > > >>> > > >>> > Sent from my mobile > >>> > > >>> > --------- =E8=BD=AC=E5=8F=91=E7=9A=84=E9=82=AE=E4=BB=B6 -------= -- > >>> > =E5=8F=91=E4=BB=B6=E4=BA=BA=EF=BC=9A Haijiao <18602198181@163.c= om> > >>> > =E5=8F=91=E9=80=81=E6=97=A5=E6=9C=9F=EF=BC=9A 2017=E5=B9=B404= =E6=9C=8814=E6=97=A5 23:21 > >>> > =E6=94=B6=E4=BB=B6=E4=BA=BA=EF=BC=9A dev > >>> > =E6=8A=84=E9=80=81=E4=BA=BA=EF=BC=9A > >>> > =E4=B8=BB=E9=A2=98=EF=BC=9A Re:Re: [4.10] VPN disconnected whil= e network changes taken > >>> > Sure, Karuturi > >>> > > >>> > Logged a bug in Jira, thanks! > >>> > > >>> > CLOUDSTACK-9878 Remote Access VPN that losing connection when n= ew > >>> network > >>> > configs are introduced > >>> > https://issues.apache.org/jira/browse/CLOUDSTACK-9878 > >>> > > >>> > > >>> > > >>> > =E5=9C=A82017=E5=B9=B404=E6=9C=8814 13=E6=97=B614=E5=88=86, "Ra= jani Karuturi"=E5=86=99=E9=81=93: > >>> > > >>> > > >>> > Hi Haijiao, > >>> > > >>> > Thanks for testing. Can you log a bug for this please? It can b= e > >>> > a blocker for 4.10. > >>> > > >>> > @Will, > >>> > > >>> > Did you get a chance to take a look at this issue? > >>> > > >>> > Thanks, > >>> > > >>> > ~ Rajani > >>> > > >>> > http://cloudplatform.accelerite.com/ > >>> > > >>> > On April 12, 2017 at 7:12 AM, Will Stevens > >>> > (wstevens@cloudops.com) wrote: > >>> > > >>> > Thanks, I will have a look. > >>> > > >>> > *Will STEVENS* > >>> > Lead Developer > >>> > > >>> > > >>> > > >>> > On Tue, Apr 11, 2017 at 8:58 PM, Haijiao <18602198181@163.com> > >>> > wrote: > >>> > > >>> > HI, Will > >>> > It's a Remote Access VPN that losing connection while new > >>> > network configs > >>> > introduced. > >>> > Thanks ! > >>> > > >>> > =E5=9C=A82017=E5=B9=B404=E6=9C=8812 02=E6=97=B626=E5=88=86, "Wi= ll Stevens"=E5=86=99=E9=81=93: > >>> > > >>> > Is this a Site-to-Site VPN connection or the Remote Access VPN > >>> > that is > >>> > losing connection when new network configs are introduced? > >>> > > >>> > Thanks, > >>> > > >>> > *Will STEVENS* > >>> > Lead Developer > >>> > > >>> > > >>> > > >>> > On Sat, Apr 8, 2017 at 12:49 AM, Haijiao <18602198181@163.com> > >>> > wrote: > >>> > > >>> > Hi, > >>> > > >>> > We built and tested the ACS 4.10 from the latest master (Apr.7, > >>> > 2017) > >>> > > >>> > Our environment is, > >>> > - ACS: 4.10.0.0-SNAPSHOT > >>> > - Management Server: Centos7.2 1151 > >>> > - Host: Centos7.2 1151 > >>> > - System VM: systemvm64template-master-4.10.0-kvm.qcow2.bz2 > >>> > - Network: Isolated Network > >>> > - Network Offering: Offering for Isolated networks with Source > >>> > Nat > >>> > > >>> > service > >>> > > >>> > enabled > >>> > > >>> > We can successfully setup VPN and it works as expected. However= , > >>> > once > >>> > > >>> > we > >>> > > >>> > take any network changes below, the VPN connnection will be > >>> > immediately > >>> > disconnected. > >>> > > >>> > - Update firewall rules (add/change) > >>> > - Update port fowarding > >>> > - Update LB > >>> > - Add one more VPN account > >>> > > >>> > Is there some configuration we missed ? Or it's due to the new > >>> > VPN > >>> > component (StrongSWAN) introcuced in 4.10 ? > >>> > > >>> > > >>> > > >>> > > >>> > > >>> > > >>> > > >>> > >>> > >>> > >>> > >>> > > > --001a113ce4128a803d054def7306--