Page MenuHomePhabricator
Create Task
Maniphest T164777

BGP session between pfw clusters flapping
Closed, InvalidPublic
Actions

Description

830+ flaps so far. This causes cross DC traffic (like rsync) to fail.

That BGP session goes over an ipsec tunnel.
The following configuration has been added on both sides. It's most likely not the reason of the flap, but should be there nonetheless.

  • allow IKE on lo0 (where ike terminates)
  • specify host-inbound-traffic per interface (I've seen cases where the "global to the security zone" config was not applied properly)
  • Set ipsec tunnel monitoring (for faster monitoring)
[edit security zones security-zone untrust interfaces lo0.0 host-inbound-traffic system-services]
        dns { ... }
+       ike;
[edit security zones security-zone vpn-codfw interfaces st0.0]
+      host-inbound-traffic {
+          system-services {
+              ping;
+              traceroute;
+          }
+          protocols {
+              pim;
+              igmp;
+              bgp;
+          }
+      }
[edit security ipsec vpn vpn-x-ipsec-vpn]
+     vpn-monitor {
+         optimized;
+     }

I also added extra debug logs (starting with ike) on both sides:

# show security ike traceoptions 
file ike-debug.log size 5m files 3;
flag all;

As well as

[edit security ipsec]
+    traceoptions {
+        flag all;
+    }

Event Timeline

ayounsi created this task.May 8 2017, 6:21 PM
Restricted Application added a project: SRE. · View Herald TranscriptMay 8 2017, 6:21 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Jgreen added a project: fundraising-tech-ops.May 8 2017, 6:30 PM
ayounsi updated the task description. (Show Details)May 9 2017, 8:00 AM
Qse24h closed this task as a duplicate of T164723: New git repository: <repo name>.May 9 2017, 10:07 AM
Qse24h closed this task as a duplicate of T164723: New git repository: <repo name>.
Qse24h closed this task as a duplicate of T164723: New git repository: <repo name>.
Qse24h closed this task as a duplicate of T164723: New git repository: <repo name>.
Qse24h closed this task as a duplicate of T164723: New git repository: <repo name>.
Qse24h closed this task as a duplicate of T164723: New git repository: <repo name>.
Qse24h closed this task as a duplicate of T164723: New git repository: <repo name>.
Qse24h closed this task as a duplicate of T164723: New git repository: <repo name>.
Qse24h closed this task as a duplicate of T164723: New git repository: <repo name>.
Qse24h closed this task as a duplicate of T164723: New git repository: <repo name>.
MoritzMuehlenhoff reopened this task as Open.May 9 2017, 10:09 AM
ayounsi added a comment.May 11 2017, 10:37 AM

Nothing explicit in the logs. I've open case 2017-0511-0002 with JTAC

ayounsi closed this task as Invalid.Jun 27 2017, 2:22 PM

Going to replace the pfw soon, not worth investigating more, unless it's causing visible issues.

Dwisehaupt moved this task from Triage to Done on the fundraising-tech-ops board.Feb 13 2020, 10:01 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL