Public bug reported: When updating admin_state of a functioning ipsec connection to DOWN, it can be seen in vpn agent logs that pluto fails to restart with the following error:
2015-10-19 14:05:11.622 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['ip', 'netns', 'exec', u'qrouter-c758b05b-72fe-4cad-b6a3-696fa0741ed8', 'ipsec', 'addconn', '--ctlbase', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/var/run/pluto.ctl', '--defaultroutenexthop', u'172.24.4.2', '--config', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/etc/ipsec.conf', u'2d87fe22-47f4-4e37-a172-39990942db79'] 2015-10-19 14:05:11.622 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 1 2015-10-19 14:05:11.622 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin: 2015-10-19 14:05:11.622 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout: conn '2d87fe22-47f4-4e37-a172-39990942db79': not found (tried aliases) (http://paste.openstack.org/show/476720/) And, if we try to update connection's admin_state to UP, pluto doesn't start at all due conflict with already existing process: 2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec RuntimeError: 2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['ip', 'netns', 'exec', u'qrouter-c758b05b-72fe-4cad-b6a3-696fa0741ed8', 'ipsec', 'pluto', '--ctlbase', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/var/run/pluto', '--ipsecdir', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/etc/ipsec.secrets', '--virtual_private', u'%v4:10.0.2.0/24,%v4:10.0.1.0/24'] 2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 10 2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin: 2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout: 2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stderr: adjusting ipsec.d to /opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/etc 2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec pluto: lock file "/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/var/run/pluto.pid" already exists (http://paste.openstack.org/show/476722/) The reason is that given connection wasn't included into ipsec.conf because it had admin_state_up=False [1]. We have to skip loading such connections into pluto on start. [1] https://github.com/openstack/neutron- vpnaas/blob/master/neutron_vpnaas/services/vpn/device_drivers/template/openswan/ipsec.conf.template#L8 ** Affects: neutron Importance: Undecided Assignee: Elena Ezhova (eezhova) Status: New ** Tags: vpnaas ** Tags added: vpnaas ** Changed in: neutron Assignee: (unassigned) => Elena Ezhova (eezhova) ** Description changed: - When updating admin_state of functioning ipsec connection to DOWN, it + When updating admin_state of a functioning ipsec connection to DOWN, it can be seen in vpn agent logs that pluto fails to restart with the following error: 2015-10-19 14:05:11.622 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['ip', 'netns', 'exec', u'qrouter-c758b05b-72fe-4cad-b6a3-696fa0741ed8', 'ipsec', 'addconn', '--ctlbase', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/var/run/pluto.ctl', '--defaultroutenexthop', u'172.24.4.2', '--config', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/etc/ipsec.conf', u'2d87fe22-47f4-4e37-a172-39990942db79'] 2015-10-19 14:05:11.622 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 1 2015-10-19 14:05:11.622 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin: 2015-10-19 14:05:11.622 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout: conn '2d87fe22-47f4-4e37-a172-39990942db79': not found (tried aliases) (http://paste.openstack.org/show/476720/) And, if we try to update connection's admin_state to UP, pluto doesn't start at all due conflict with already existing process: 2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec RuntimeError: 2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['ip', 'netns', 'exec', u'qrouter-c758b05b-72fe-4cad-b6a3-696fa0741ed8', 'ipsec', 'pluto', '--ctlbase', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/var/run/pluto', '--ipsecdir', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/etc/ipsec.secrets', '--virtual_private', u'%v4:10.0.2.0/24,%v4:10.0.1.0/24'] 2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 10 2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin: 2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout: 2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stderr: adjusting ipsec.d to /opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/etc 2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec pluto: lock file "/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/var/run/pluto.pid" already exists (http://paste.openstack.org/show/476722/) - - The reason is that given connection wasn't included into ipsec.conf because it had admin_state_up=False [1]. We have to skip loading such connections into pluto on start. + The reason is that given connection wasn't included into ipsec.conf + because it had admin_state_up=False [1]. We have to skip loading such + connections into pluto on start. [1] https://github.com/openstack/neutron- vpnaas/blob/master/neutron_vpnaas/services/vpn/device_drivers/template/openswan/ipsec.conf.template#L8 -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1507672 Title: [VPNaaS] failures when updating admin_state of ipsec connections Status in neutron: New Bug description: When updating admin_state of a functioning ipsec connection to DOWN, it can be seen in vpn agent logs that pluto fails to restart with the following error: 2015-10-19 14:05:11.622 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['ip', 'netns', 'exec', u'qrouter-c758b05b-72fe-4cad-b6a3-696fa0741ed8', 'ipsec', 'addconn', '--ctlbase', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/var/run/pluto.ctl', '--defaultroutenexthop', u'172.24.4.2', '--config', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/etc/ipsec.conf', u'2d87fe22-47f4-4e37-a172-39990942db79'] 2015-10-19 14:05:11.622 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 1 2015-10-19 14:05:11.622 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin: 2015-10-19 14:05:11.622 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout: conn '2d87fe22-47f4-4e37-a172-39990942db79': not found (tried aliases) (http://paste.openstack.org/show/476720/) And, if we try to update connection's admin_state to UP, pluto doesn't start at all due conflict with already existing process: 2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec RuntimeError: 2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Command: ['ip', 'netns', 'exec', u'qrouter-c758b05b-72fe-4cad-b6a3-696fa0741ed8', 'ipsec', 'pluto', '--ctlbase', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/var/run/pluto', '--ipsecdir', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/etc', '--use-netkey', '--uniqueids', '--nat_traversal', '--secretsfile', u'/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/etc/ipsec.secrets', '--virtual_private', u'%v4:10.0.2.0/24,%v4:10.0.1.0/24'] 2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Exit code: 10 2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdin: 2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stdout: 2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec Stderr: adjusting ipsec.d to /opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/etc 2015-10-19 14:06:29.271 TRACE neutron_vpnaas.services.vpn.device_drivers.ipsec pluto: lock file "/opt/stack/data/neutron/ipsec/c758b05b-72fe-4cad-b6a3-696fa0741ed8/var/run/pluto.pid" already exists (http://paste.openstack.org/show/476722/) The reason is that given connection wasn't included into ipsec.conf because it had admin_state_up=False [1]. We have to skip loading such connections into pluto on start. [1] https://github.com/openstack/neutron- vpnaas/blob/master/neutron_vpnaas/services/vpn/device_drivers/template/openswan/ipsec.conf.template#L8 To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1507672/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp