Thanks! It was nice trading fixes ;-) _____________________________ From: Will Stevens <wstev...@cloudops.com<mailto:wstev...@cloudops.com>> Sent: Monday, April 24, 2017 10:28 PM Subject: Re: [4.10] VPN disconnected while network changes taken To: <dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>>
Fair enough. Well you will have a fix if people start to complain. :P *Will STEVENS* Lead Developer <https://goo.gl/NYZ8KK> On Mon, Apr 24, 2017 at 4:21 PM, Remi Bergsma <rberg...@schubergphilis.com<mailto:rberg...@schubergphilis.com>> wrote: > I dont think the remote access feature is used a lot in our deploys, so I > would assume it has the same issue. We mainly use s2s. > > Regards, Remi > ________________________________ > From: Will Stevens <williamstev...@gmail.com<mailto:williamstev...@gmail.com>> > Sent: Monday, April 24, 2017 8:00:25 PM > To: dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org> > Subject: Re: [4.10] VPN disconnected while network changes taken > > @remi, judging from your configure.py, I am assuming that any network > change, like adding a PF rule, will drop the Remote Access VPN connection > as well. Is that the case? Or am I missing something? > > On Mon, Apr 24, 2017 at 1:49 PM, Will Stevens > <williamstev...@gmail.com<mailto:williamstev...@gmail.com>> > wrote: > > > I am trying to find a way to remove this explicit down and still be able > > to keep the VPN connection up. > > > > https://github.com/apache/cloudstack/blob/master/ > systemvm/patches/debian/ > > config/opt/cloud/bin/configure.py#L638 > > > > On Mon, Apr 24, 2017 at 1:41 PM, Will Stevens > > <williamstev...@gmail.com<mailto:williamstev...@gmail.com>> > > wrote: > > > >> @remi yes, I think you are right that we should change that for the > >> site2site config. I will check that after. > >> > >> The issue referred to in this thread is in reference to the remote > access > >> VPN dropping when other networking is configured. > >> > >> In this case it is not a mystery why it is going down since we actually > >> call a down on it when it gets reconfigured. I have been trying to get > it > >> to handle network config changes without taking down the VPN. > >> > >> I have obviously removed the explicit down and am trying to find a > >> working configuration, but when xl2tpd is stopped, it goes down hard and > >> when it comes back up it can't find the same tunnel, so the tunnel is > >> dropped. > >> > >> I will review your config to see how you are handling this. > >> > >> Thanks for the support. > >> > >> On Apr 24, 2017 1:02 PM, "Remi Bergsma" > >> <rberg...@schubergphilis.com<mailto:rberg...@schubergphilis.com>> > >> wrote: > >> > >>> Hi all, > >>> > >>> While I haven’t investigated this issue, it does sound similar to what > I > >>> fixed in Cosmic (our fork) last month. > >>> > >>> This code does a down/up of the VPN connection: > >>> https://github.com/apache/cloudstack/blob/master/systemvm/pa > >>> tches/debian/config/opt/cloud/bin/configure.py#L547-L548 > >>> > >>> We found that to be impacting. Since we have auto=start in the config > >>> file already, we only have to reload the config and ipsec will take > care of > >>> the rest on its own. Fast & easy! Most of all, no more unneeded > restarts. > >>> > >>> Simply put: just remove the stop/start lines as it is not needed. > >>> The code is also hit when non-VPN changes are made, so that’s probably > >>> why people report that another change causes it to disconnect. > >>> > >>> This is how we fixed it: > >>> https://github.com/MissionCriticalCloud/cosmic/pull/339/comm > >>> its/5ee5e70894a321f4d633c836e0bacef481b2b9af > >>> > >>> Hope this gives some inspiration and a possible solution. > >>> > >>> Regards, Remi > >>> > >>> > >>> > >>> On 24/04/2017, 17:50, > >>> "williamstev...@gmail.com<mailto:williamstev...@gmail.com> on behalf of > >>> Will > >>> Stevens" <williamstev...@gmail.com<mailto:williamstev...@gmail.com> on > >>> behalf of wstev...@cloudops.com<mailto:wstev...@cloudops.com>> > >>> wrote: > >>> > >>> Working on it now, I will let you know when I have a fix. > >>> > >>> *Will STEVENS* > >>> Lead Developer > >>> > >>> <https://goo.gl/NYZ8KK> > >>> > >>> On Mon, Apr 24, 2017 at 11:34 AM, Haijiao > >>> <18602198...@163.com<mailto:18602198...@163.com>> > >>> wrote: > >>> > >>> > Hi Will > >>> > > >>> > Any progress about this issue ? > >>> > > >>> > tks > >>> > > >>> > > >>> > Sent from my mobile > >>> > > >>> > --------- 转发的邮件 --------- > >>> > 发件人: Haijiao <18602198...@163.com<mailto:18602198...@163.com>> > >>> > 发送日期: 2017年04月14日 23:21 > >>> > 收件人: dev <dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>> > >>> > 抄送人: > >>> > 主题: Re:Re: [4.10] VPN disconnected while network changes taken > >>> > Sure, Karuturi > >>> > > >>> > Logged a bug in Jira, thanks! > >>> > > >>> > CLOUDSTACK-9878 Remote Access VPN that losing connection when new > >>> network > >>> > configs are introduced > >>> > https://issues.apache.org/jira/browse/CLOUDSTACK-9878 > >>> > > >>> > > >>> > > >>> > 在2017年04月14 13时14分, "Rajani > >>> > Karuturi"<raj...@apache.org<mailto:raj...@apache.org>>写道: > >>> > > >>> > > >>> > Hi Haijiao, > >>> > > >>> > Thanks for testing. Can you log a bug for this please? It can be > >>> > a blocker for 4.10. > >>> > > >>> > @Will, > >>> > > >>> > Did you get a chance to take a look at this issue? > >>> > > >>> > Thanks, > >>> > > >>> > ~ Rajani > >>> > > >>> > http://cloudplatform.accelerite.com/ > >>> > > >>> > On April 12, 2017 at 7:12 AM, Will Stevens > >>> > (wstev...@cloudops.com<mailto:wstev...@cloudops.com>) wrote: > >>> > > >>> > Thanks, I will have a look. > >>> > > >>> > *Will STEVENS* > >>> > Lead Developer > >>> > > >>> > <https://goo.gl/NYZ8KK> > >>> > > >>> > On Tue, Apr 11, 2017 at 8:58 PM, Haijiao > >>> > <18602198...@163.com<mailto:18602198...@163.com>> > >>> > wrote: > >>> > > >>> > HI, Will > >>> > It's a Remote Access VPN that losing connection while new > >>> > network configs > >>> > introduced. > >>> > Thanks ! > >>> > > >>> > 在2017年04月12 02时26分, "Will > >>> > Stevens"<wstev...@cloudops.com<mailto:wstev...@cloudops.com>>写道: > >>> > > >>> > Is this a Site-to-Site VPN connection or the Remote Access VPN > >>> > that is > >>> > losing connection when new network configs are introduced? > >>> > > >>> > Thanks, > >>> > > >>> > *Will STEVENS* > >>> > Lead Developer > >>> > > >>> > <https://goo.gl/NYZ8KK> > >>> > > >>> > On Sat, Apr 8, 2017 at 12:49 AM, Haijiao > >>> > <18602198...@163.com<mailto:18602198...@163.com>> > >>> > wrote: > >>> > > >>> > Hi, > >>> > > >>> > We built and tested the ACS 4.10 from the latest master (Apr.7, > >>> > 2017) > >>> > > >>> > Our environment is, > >>> > - ACS: 4.10.0.0-SNAPSHOT > >>> > - Management Server: Centos7.2 1151 > >>> > - Host: Centos7.2 1151 > >>> > - System VM: systemvm64template-master-4.10.0-kvm.qcow2.bz2 > >>> > - Network: Isolated Network > >>> > - Network Offering: Offering for Isolated networks with Source > >>> > Nat > >>> > > >>> > service > >>> > > >>> > enabled > >>> > > >>> > We can successfully setup VPN and it works as expected. However, > >>> > once > >>> > > >>> > we > >>> > > >>> > take any network changes below, the VPN connnection will be > >>> > immediately > >>> > disconnected. > >>> > > >>> > - Update firewall rules (add/change) > >>> > - Update port fowarding > >>> > - Update LB > >>> > - Add one more VPN account > >>> > > >>> > Is there some configuration we missed ? Or it's due to the new > >>> > VPN > >>> > component (StrongSWAN) introcuced in 4.10 ? > >>> > > >>> > > >>> > > >>> > > >>> > > >>> > > >>> > > >>> > >>> > >>> > >>> > >>> > > >
