Bug 2002278
Summary: | After reboot IPSec communication stops working | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux Fast Datapath | Reporter: | Ales Musil <amusil> |
Component: | ovn-2021 | Assignee: | Mark Gray <mark.d.gray> |
Status: | CLOSED NOTABUG | QA Contact: | ying xu <yinxu> |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | FDP 21.F | CC: | ctrautma, jiji, mark.d.gray, mburman, mmichels |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-28 12:09:18 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1782056 |
Description
Ales Musil
2021-09-08 12:08:36 UTC
hi, Ales Musil I am a little confused .I didn't find "reboot" in your steps. so I should reboot after which step to reproduce it? Thanks very much! (In reply to ying xu from comment #1) > hi, Ales Musil > I am a little confused .I didn't find "reboot" in your steps. > > so I should reboot after which step to reproduce it? > > Thanks very much! Oh, sorry my bad. It should be rebooted after step 3. Thanks, Ales Hi, When it is failing, could you run the following commands on both hosts and post the output? ip r ip a ps -ef | grep pluto ps -ef | grep ovs-monitor-ipsec ovs-appctl -t ovs-monitor-ipsec tunnels/show Thanks Can you also try `systemctl stop firewalld` on both hosts? Thanks Hi, output for both hosts is attached. It has probably something to do with firewall rules as stopping firewalld helped. Rather than stopping the firewall, can you add rules to it as specified in https://docs.openvswitch.org/en/latest/tutorials/ipsec/#fedora Let me know if this resolves your issue. (In reply to Mark Gray from comment #8) > Rather than stopping the firewall, can you add rules to it as specified in > https://docs.openvswitch.org/en/latest/tutorials/ipsec/#fedora > > Let me know if this resolves your issue. No didn't help, I have added permanent ipsec to both hosts and reloaded firewall. It might be even worse because the other host cannot see the traffic at all now. Sorry, ignore my last message I had wrong central started. It indeed seems to help. But it is not documented [0]. Would it be possible to document it there to prevent any further confusion? Thanks [0] https://docs.ovn.org/en/latest/tutorials/ovn-ipsec.html Sent patch to update the documentation at https://patchwork.ozlabs.org/project/ovn/patch/20211014132134.67138-1-mark.d.gray@redhat.com/ Thanks, but is it only on fedora? This was happening with RHEL and CentOS. Yeah but the instruction is the same. We don't specifically call out RHEL or CentOS in the documentation. Do you think we should modify it further? I added an additional patch specifying RHEL and CentOS. https://patchwork.ozlabs.org/project/ovn/list/?series=268332 Can you please review and, if you have any issues, can you reply upstream? Thanks, Mark Hi, it looks good. Thanks |