You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by "Jānis Andersons | Failiem.lv" <ja...@failiem.lv> on 2016/09/29 11:07:35 UTC
slow firewall
I have total 20 firewall rules and 50 port forwarding rules for 12 VMs
and it takes more than 60 seconds to add new rule.
If new IP is acquired adding new rule takes about 80 seconds even if
there is no rules set for new IP.
If I try to add multiple rules it takes much more time for first rule
and sometimes another rules fails.
Have tried to change service offering for router to 2 CPUs, 1GB ram but
that doesn't help.
Cloudstack 4.8, Xenserver, Shared Storage
Virtual Router: Firewall, Vpn, Dhcp, SourceNat, PortForwarding, Lb,
UserData, Dns.
--
J. Anderson
Re[9]: Network ACL rules in VPCs are applied in an inverted order (CLOUDSTACK-9404)
Posted by David Amorín <da...@adderglobal.com>.
I have tested with CS 4.9.0 and it is not applied. Let's see if will be available on 4.9.1
Thanks for your help
--
David Amorín
Director
david.amorin@adderglobal.com
T. 91 133 18 99 Ext. 151
M. 626 94 95 88
-----Mensaje original-----
> De: "Pierre-Luc Dion" <pd...@apache.org>
> A: users@cloudstack.apache.org
> Cc: "David Amorín" <da...@adderglobal.com>, "Patrick Dube 2" <pd...@cloudops.com>
> Fecha: 26/10/2016 00:22
> Asunto: Re: Re[7]: Network ACL rules in VPCs are applied in an inverted order (CLOUDSTACK-9404)
>
> Hi David,
>
> Yes its a known issue. It has been fixed, i thought in 4.9, maybe the PR
> has not been process yet?
>
> On Oct 25, 2016 10:46, "Simon Weller" <sw...@ena.com> wrote:
>
> David,
>
>
> Can you post your question to the dev list?
>
> You're more likely to get a response there.
>
>
> - Si
>
>
> ________________________________
> From: David Amorín <da...@adderglobal.com>
> Sent: Tuesday, October 25, 2016 9:23 AM
> To: users@cloudstack.apache.org; users@cloudstack.apache.org
> Subject: Re[7]: Network ACL rules in VPCs are applied in an inverted order
> (CLOUDSTACK-9404)
>
> Sorry to bring up an old question, just want to ask again if somebody
> can confirm this issue (inverted order of the ACL rules) with CS 4.9 and
> VPC router version 4.6
>
> Thanks,
>
> David
>
> ------ Mensaje original ------
> De: "David Amorín" <da...@adderglobal.com>
> Para: "users@cloudstack.apache.org" <us...@cloudstack.apache.org>
> Enviado: 17/10/2016 11:16:03
> Asunto: Re[6]: Network ACL rules in VPCs are applied in an inverted
> order (CLOUDSTACK-9404)
>
> >Hi ,
> >I did a couple of tests more and i can confirm the issue
> >(CLOUDSTACK-9404) still happens with the version CS 4.9 using the VPC
> >router version 4.6
> >
> >See an example:
> >
> >I have an egress rules like following:
> >Rule number: 101CIDR: 8.8.8.8/32Action: Allow, Traffic Type:
> >EgressProtocol: ICMP, ICMPtype: -1, ICMPCode: -1
> >
> >Then I add this rule:
> >Rule number: 1002CIDR: 0.0.0.0/0Action: Deny, Traffic Type:
> >EgressProtocol: ALL
> >
> >Checking the VR, in file /etc/iptables/router_rules.v4, the rules are
> >applied in wrong order:
> >-A ACL_OUTBOUND_eth2 -d 224.0.0.18/32 -j ACCEPT
> >-A ACL_OUTBOUND_eth2 -d 225.0.0.50/32 -j ACCEPT
> >-A ACL_OUTBOUND_eth2 -j DROP
> >-A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j
> >ACCEPT
> >
> >
> >But then if i restart the VPC and clean up, I check again iptables and
> >now is correct order:
> >-A ACL_OUTBOUND_eth2 -d 224.0.0.18/32 -j ACCEPT
> >-A ACL_OUTBOUND_eth2 -d 225.0.0.50/32 -j ACCEPT
> >-A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j
> >ACCEPT
> >-A ACL_OUTBOUND_eth2 -j DROP
> >
> >Is the VPC rotuer version 4.6 the latest one?
> >
> >I really apprecciate if somebody else can confirm this issue
> >
> >Best,
> >
> >David
> >
> >------ Mensaje original ------
> >De: "Simon Weller" <sw...@ena.com>
> >Para: "users@cloudstack.apache.org" <us...@cloudstack.apache.org>;
> >"David Amorín" <da...@adderglobal.com>
> >Enviado: 05/10/2016 18:35:48
> >Asunto: Re: Re[4]: Network ACL rules in VPCs are applied in an inverted
> >order (CLOUDSTACK-9404)
> >
> >>Try doing a restart with network cleanup and see if that fixes your
> >>problem. The fixes are in the system iso and that will required a
> >>redeploy.
> >>
> >>
> >>
> >>- Si
> >>
> >>
> >>----------------------------------------------------------
> ----------------------
> >>From: David Amorín <da...@adderglobal.com>
> >>Sent: Wednesday, October 5, 2016 11:18 AM
> >>To: Simon Weller; users@cloudstack.apache.org
> >>Subject: Re[4]: Network ACL rules in VPCs are applied in an inverted
> >>order (CLOUDSTACK-9404)
> >>
> >>Yes, we did the upgrade from 4.5.2 to 4.9.0
> >>
> >>
> >>
> >>
> >>------ Mensaje original ------
> >>De: "Simon Weller" <sw...@ena.com>
> >>Para: "users@cloudstack.apache.org" <us...@cloudstack.apache.org>;
> >>"David Amorín" <da...@adderglobal.com>
> >>Enviado: 05/10/2016 18:11:26
> >>Asunto: Re: Re[2]: Network ACL rules in VPCs are applied in an
> >>inverted order (CLOUDSTACK-9404)
> >>
> >>>Was this an upgrade from an older release?
> >>>
> >>>
> >>>
> >>>---------------------------------------------------------
> -----------------------
> >>>From: David Amorín <da...@adderglobal.com>
> >>>Sent: Wednesday, October 5, 2016 10:11 AM
> >>>To:users@cloudstack.apache.org
> >>>Subject: Re[2]: Network ACL rules in VPCs are applied in an inverted
> >>>order (CLOUDSTACK-9404)
> >>>
> >>>We are running 4.9.0 and we are still facing the issues of the ACL
> >>>Rules
> >>>(CLOUDSTACK-9404)
> >>>
> >>>
> >>>
> >>>------ Mensaje original ------
> >>>De: "Simon Weller" <sw...@ena.com>
> >>>Para: "users@cloudstack.apache.org" <us...@cloudstack.apache.org>;
> >>>"David Amorín" <da...@adderglobal.com>
> >>>Enviado: 04/10/2016 18:02:22
> >>>Asunto: Re: Network ACL rules in VPCs are applied in an inverted
> >>>order
> >>>(CLOUDSTACK-9404)
> >>>
> >>> >David,
> >>> >
> >>> >
> >>> >What version are you currently running?
> >>> >
> >>> >
> >>> >I believe 2 patches got into 4.9.0 related to this. #1581 and #1616.
> >>> >
> >>> >
> >>> >At least #1581 was also merged into 4.8.x for the next point
> >>>release.
> >>> >
> >>> >
> >>> >- Si
> >>> >
> >>> >________________________________
> >>> >From: David Amorín <da...@adderglobal.com>
> >>> >Sent: Tuesday, October 4, 2016 10:47 AM
> >>> >To: users@cloudstack.apache.org
> >>> >Subject: Network ACL rules in VPCs are applied in an inverted order
> >>> >(CLOUDSTACK-9404)
> >>> >
> >>> >Hi all,
> >>> >I see this bug is already resolved
> >>> >
> >>> >https://issues.apache.org/jira/browse/CLOUDSTACK-9404
> >>> >[CLOUDSTACK-9404] Network ACL rules in VPCs are applied in
> >>> >...<https://issues.apache.org/jira/browse/CLOUDSTACK-9404>
> >>> >issues.apache.org
> >>> >Linked Applications. Loading... Dashboards
> >>> >
> >>> >
> >>> >
> >>> >
> >>> >Do you know if will be available on 4.9.1?
> >>> >
> >>> >Thanks
> >>> >
> >>> >David
> >>> >
> >>> >
> >>> >
> >>> >
> >>> >
> >>>
Re: Re[7]: Network ACL rules in VPCs are applied in an inverted order (CLOUDSTACK-9404)
Posted by Pierre-Luc Dion <pd...@apache.org>.
Hi David,
Yes its a known issue. It has been fixed, i thought in 4.9, maybe the PR
has not been process yet?
On Oct 25, 2016 10:46, "Simon Weller" <sw...@ena.com> wrote:
David,
Can you post your question to the dev list?
You're more likely to get a response there.
- Si
________________________________
From: David Amorín <da...@adderglobal.com>
Sent: Tuesday, October 25, 2016 9:23 AM
To: users@cloudstack.apache.org; users@cloudstack.apache.org
Subject: Re[7]: Network ACL rules in VPCs are applied in an inverted order
(CLOUDSTACK-9404)
Sorry to bring up an old question, just want to ask again if somebody
can confirm this issue (inverted order of the ACL rules) with CS 4.9 and
VPC router version 4.6
Thanks,
David
------ Mensaje original ------
De: "David Amorín" <da...@adderglobal.com>
Para: "users@cloudstack.apache.org" <us...@cloudstack.apache.org>
Enviado: 17/10/2016 11:16:03
Asunto: Re[6]: Network ACL rules in VPCs are applied in an inverted
order (CLOUDSTACK-9404)
>Hi ,
>I did a couple of tests more and i can confirm the issue
>(CLOUDSTACK-9404) still happens with the version CS 4.9 using the VPC
>router version 4.6
>
>See an example:
>
>I have an egress rules like following:
>Rule number: 101CIDR: 8.8.8.8/32Action: Allow, Traffic Type:
>EgressProtocol: ICMP, ICMPtype: -1, ICMPCode: -1
>
>Then I add this rule:
>Rule number: 1002CIDR: 0.0.0.0/0Action: Deny, Traffic Type:
>EgressProtocol: ALL
>
>Checking the VR, in file /etc/iptables/router_rules.v4, the rules are
>applied in wrong order:
>-A ACL_OUTBOUND_eth2 -d 224.0.0.18/32 -j ACCEPT
>-A ACL_OUTBOUND_eth2 -d 225.0.0.50/32 -j ACCEPT
>-A ACL_OUTBOUND_eth2 -j DROP
>-A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j
>ACCEPT
>
>
>But then if i restart the VPC and clean up, I check again iptables and
>now is correct order:
>-A ACL_OUTBOUND_eth2 -d 224.0.0.18/32 -j ACCEPT
>-A ACL_OUTBOUND_eth2 -d 225.0.0.50/32 -j ACCEPT
>-A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j
>ACCEPT
>-A ACL_OUTBOUND_eth2 -j DROP
>
>Is the VPC rotuer version 4.6 the latest one?
>
>I really apprecciate if somebody else can confirm this issue
>
>Best,
>
>David
>
>------ Mensaje original ------
>De: "Simon Weller" <sw...@ena.com>
>Para: "users@cloudstack.apache.org" <us...@cloudstack.apache.org>;
>"David Amorín" <da...@adderglobal.com>
>Enviado: 05/10/2016 18:35:48
>Asunto: Re: Re[4]: Network ACL rules in VPCs are applied in an inverted
>order (CLOUDSTACK-9404)
>
>>Try doing a restart with network cleanup and see if that fixes your
>>problem. The fixes are in the system iso and that will required a
>>redeploy.
>>
>>
>>
>>- Si
>>
>>
>>----------------------------------------------------------
----------------------
>>From: David Amorín <da...@adderglobal.com>
>>Sent: Wednesday, October 5, 2016 11:18 AM
>>To: Simon Weller; users@cloudstack.apache.org
>>Subject: Re[4]: Network ACL rules in VPCs are applied in an inverted
>>order (CLOUDSTACK-9404)
>>
>>Yes, we did the upgrade from 4.5.2 to 4.9.0
>>
>>
>>
>>
>>------ Mensaje original ------
>>De: "Simon Weller" <sw...@ena.com>
>>Para: "users@cloudstack.apache.org" <us...@cloudstack.apache.org>;
>>"David Amorín" <da...@adderglobal.com>
>>Enviado: 05/10/2016 18:11:26
>>Asunto: Re: Re[2]: Network ACL rules in VPCs are applied in an
>>inverted order (CLOUDSTACK-9404)
>>
>>>Was this an upgrade from an older release?
>>>
>>>
>>>
>>>---------------------------------------------------------
-----------------------
>>>From: David Amorín <da...@adderglobal.com>
>>>Sent: Wednesday, October 5, 2016 10:11 AM
>>>To:users@cloudstack.apache.org
>>>Subject: Re[2]: Network ACL rules in VPCs are applied in an inverted
>>>order (CLOUDSTACK-9404)
>>>
>>>We are running 4.9.0 and we are still facing the issues of the ACL
>>>Rules
>>>(CLOUDSTACK-9404)
>>>
>>>
>>>
>>>------ Mensaje original ------
>>>De: "Simon Weller" <sw...@ena.com>
>>>Para: "users@cloudstack.apache.org" <us...@cloudstack.apache.org>;
>>>"David Amorín" <da...@adderglobal.com>
>>>Enviado: 04/10/2016 18:02:22
>>>Asunto: Re: Network ACL rules in VPCs are applied in an inverted
>>>order
>>>(CLOUDSTACK-9404)
>>>
>>> >David,
>>> >
>>> >
>>> >What version are you currently running?
>>> >
>>> >
>>> >I believe 2 patches got into 4.9.0 related to this. #1581 and #1616.
>>> >
>>> >
>>> >At least #1581 was also merged into 4.8.x for the next point
>>>release.
>>> >
>>> >
>>> >- Si
>>> >
>>> >________________________________
>>> >From: David Amorín <da...@adderglobal.com>
>>> >Sent: Tuesday, October 4, 2016 10:47 AM
>>> >To: users@cloudstack.apache.org
>>> >Subject: Network ACL rules in VPCs are applied in an inverted order
>>> >(CLOUDSTACK-9404)
>>> >
>>> >Hi all,
>>> >I see this bug is already resolved
>>> >
>>> >https://issues.apache.org/jira/browse/CLOUDSTACK-9404
>>> >[CLOUDSTACK-9404] Network ACL rules in VPCs are applied in
>>> >...<https://issues.apache.org/jira/browse/CLOUDSTACK-9404>
>>> >issues.apache.org
>>> >Linked Applications. Loading... Dashboards
>>> >
>>> >
>>> >
>>> >
>>> >Do you know if will be available on 4.9.1?
>>> >
>>> >Thanks
>>> >
>>> >David
>>> >
>>> >
>>> >
>>> >
>>> >
>>>
Re: Re[7]: Network ACL rules in VPCs are applied in an inverted order
(CLOUDSTACK-9404)
Posted by Simon Weller <sw...@ena.com>.
David,
Can you post your question to the dev list?
You're more likely to get a response there.
- Si
________________________________
From: David Amorín <da...@adderglobal.com>
Sent: Tuesday, October 25, 2016 9:23 AM
To: users@cloudstack.apache.org; users@cloudstack.apache.org
Subject: Re[7]: Network ACL rules in VPCs are applied in an inverted order (CLOUDSTACK-9404)
Sorry to bring up an old question, just want to ask again if somebody
can confirm this issue (inverted order of the ACL rules) with CS 4.9 and
VPC router version 4.6
Thanks,
David
------ Mensaje original ------
De: "David Amorín" <da...@adderglobal.com>
Para: "users@cloudstack.apache.org" <us...@cloudstack.apache.org>
Enviado: 17/10/2016 11:16:03
Asunto: Re[6]: Network ACL rules in VPCs are applied in an inverted
order (CLOUDSTACK-9404)
>Hi ,
>I did a couple of tests more and i can confirm the issue
>(CLOUDSTACK-9404) still happens with the version CS 4.9 using the VPC
>router version 4.6
>
>See an example:
>
>I have an egress rules like following:
>Rule number: 101CIDR: 8.8.8.8/32Action: Allow, Traffic Type:
>EgressProtocol: ICMP, ICMPtype: -1, ICMPCode: -1
>
>Then I add this rule:
>Rule number: 1002CIDR: 0.0.0.0/0Action: Deny, Traffic Type:
>EgressProtocol: ALL
>
>Checking the VR, in file /etc/iptables/router_rules.v4, the rules are
>applied in wrong order:
>-A ACL_OUTBOUND_eth2 -d 224.0.0.18/32 -j ACCEPT
>-A ACL_OUTBOUND_eth2 -d 225.0.0.50/32 -j ACCEPT
>-A ACL_OUTBOUND_eth2 -j DROP
>-A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j
>ACCEPT
>
>
>But then if i restart the VPC and clean up, I check again iptables and
>now is correct order:
>-A ACL_OUTBOUND_eth2 -d 224.0.0.18/32 -j ACCEPT
>-A ACL_OUTBOUND_eth2 -d 225.0.0.50/32 -j ACCEPT
>-A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j
>ACCEPT
>-A ACL_OUTBOUND_eth2 -j DROP
>
>Is the VPC rotuer version 4.6 the latest one?
>
>I really apprecciate if somebody else can confirm this issue
>
>Best,
>
>David
>
>------ Mensaje original ------
>De: "Simon Weller" <sw...@ena.com>
>Para: "users@cloudstack.apache.org" <us...@cloudstack.apache.org>;
>"David Amorín" <da...@adderglobal.com>
>Enviado: 05/10/2016 18:35:48
>Asunto: Re: Re[4]: Network ACL rules in VPCs are applied in an inverted
>order (CLOUDSTACK-9404)
>
>>Try doing a restart with network cleanup and see if that fixes your
>>problem. The fixes are in the system iso and that will required a
>>redeploy.
>>
>>
>>
>>- Si
>>
>>
>>--------------------------------------------------------------------------------
>>From: David Amorín <da...@adderglobal.com>
>>Sent: Wednesday, October 5, 2016 11:18 AM
>>To: Simon Weller; users@cloudstack.apache.org
>>Subject: Re[4]: Network ACL rules in VPCs are applied in an inverted
>>order (CLOUDSTACK-9404)
>>
>>Yes, we did the upgrade from 4.5.2 to 4.9.0
>>
>>
>>
>>
>>------ Mensaje original ------
>>De: "Simon Weller" <sw...@ena.com>
>>Para: "users@cloudstack.apache.org" <us...@cloudstack.apache.org>;
>>"David Amorín" <da...@adderglobal.com>
>>Enviado: 05/10/2016 18:11:26
>>Asunto: Re: Re[2]: Network ACL rules in VPCs are applied in an
>>inverted order (CLOUDSTACK-9404)
>>
>>>Was this an upgrade from an older release?
>>>
>>>
>>>
>>>--------------------------------------------------------------------------------
>>>From: David Amorín <da...@adderglobal.com>
>>>Sent: Wednesday, October 5, 2016 10:11 AM
>>>To:users@cloudstack.apache.org
>>>Subject: Re[2]: Network ACL rules in VPCs are applied in an inverted
>>>order (CLOUDSTACK-9404)
>>>
>>>We are running 4.9.0 and we are still facing the issues of the ACL
>>>Rules
>>>(CLOUDSTACK-9404)
>>>
>>>
>>>
>>>------ Mensaje original ------
>>>De: "Simon Weller" <sw...@ena.com>
>>>Para: "users@cloudstack.apache.org" <us...@cloudstack.apache.org>;
>>>"David Amorín" <da...@adderglobal.com>
>>>Enviado: 04/10/2016 18:02:22
>>>Asunto: Re: Network ACL rules in VPCs are applied in an inverted
>>>order
>>>(CLOUDSTACK-9404)
>>>
>>> >David,
>>> >
>>> >
>>> >What version are you currently running?
>>> >
>>> >
>>> >I believe 2 patches got into 4.9.0 related to this. #1581 and #1616.
>>> >
>>> >
>>> >At least #1581 was also merged into 4.8.x for the next point
>>>release.
>>> >
>>> >
>>> >- Si
>>> >
>>> >________________________________
>>> >From: David Amorín <da...@adderglobal.com>
>>> >Sent: Tuesday, October 4, 2016 10:47 AM
>>> >To: users@cloudstack.apache.org
>>> >Subject: Network ACL rules in VPCs are applied in an inverted order
>>> >(CLOUDSTACK-9404)
>>> >
>>> >Hi all,
>>> >I see this bug is already resolved
>>> >
>>> >https://issues.apache.org/jira/browse/CLOUDSTACK-9404
>>> >[CLOUDSTACK-9404] Network ACL rules in VPCs are applied in
>>> >...<https://issues.apache.org/jira/browse/CLOUDSTACK-9404>
>>> >issues.apache.org
>>> >Linked Applications. Loading... Dashboards
>>> >
>>> >
>>> >
>>> >
>>> >Do you know if will be available on 4.9.1?
>>> >
>>> >Thanks
>>> >
>>> >David
>>> >
>>> >
>>> >
>>> >
>>> >
>>>
Re[7]: Network ACL rules in VPCs are applied in an inverted order
(CLOUDSTACK-9404)
Posted by David Amorín <da...@adderglobal.com>.
Sorry to bring up an old question, just want to ask again if somebody
can confirm this issue (inverted order of the ACL rules) with CS 4.9 and
VPC router version 4.6
Thanks,
David
------ Mensaje original ------
De: "David Amorín" <da...@adderglobal.com>
Para: "users@cloudstack.apache.org" <us...@cloudstack.apache.org>
Enviado: 17/10/2016 11:16:03
Asunto: Re[6]: Network ACL rules in VPCs are applied in an inverted
order (CLOUDSTACK-9404)
>Hi ,
>I did a couple of tests more and i can confirm the issue
>(CLOUDSTACK-9404) still happens with the version CS 4.9 using the VPC
>router version 4.6
>
>See an example:
>
>I have an egress rules like following:
>Rule number: 101CIDR: 8.8.8.8/32Action: Allow, Traffic Type:
>EgressProtocol: ICMP, ICMPtype: -1, ICMPCode: -1
>
>Then I add this rule:
>Rule number: 1002CIDR: 0.0.0.0/0Action: Deny, Traffic Type:
>EgressProtocol: ALL
>
>Checking the VR, in file /etc/iptables/router_rules.v4, the rules are
>applied in wrong order:
>-A ACL_OUTBOUND_eth2 -d 224.0.0.18/32 -j ACCEPT
>-A ACL_OUTBOUND_eth2 -d 225.0.0.50/32 -j ACCEPT
>-A ACL_OUTBOUND_eth2 -j DROP
>-A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j
>ACCEPT
>
>
>But then if i restart the VPC and clean up, I check again iptables and
>now is correct order:
>-A ACL_OUTBOUND_eth2 -d 224.0.0.18/32 -j ACCEPT
>-A ACL_OUTBOUND_eth2 -d 225.0.0.50/32 -j ACCEPT
>-A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j
>ACCEPT
>-A ACL_OUTBOUND_eth2 -j DROP
>
>Is the VPC rotuer version 4.6 the latest one?
>
>I really apprecciate if somebody else can confirm this issue
>
>Best,
>
>David
>
>------ Mensaje original ------
>De: "Simon Weller" <sw...@ena.com>
>Para: "users@cloudstack.apache.org" <us...@cloudstack.apache.org>;
>"David Amorín" <da...@adderglobal.com>
>Enviado: 05/10/2016 18:35:48
>Asunto: Re: Re[4]: Network ACL rules in VPCs are applied in an inverted
>order (CLOUDSTACK-9404)
>
>>Try doing a restart with network cleanup and see if that fixes your
>>problem. The fixes are in the system iso and that will required a
>>redeploy.
>>
>>
>>
>>- Si
>>
>>
>>--------------------------------------------------------------------------------
>>From: David Amorín <da...@adderglobal.com>
>>Sent: Wednesday, October 5, 2016 11:18 AM
>>To: Simon Weller; users@cloudstack.apache.org
>>Subject: Re[4]: Network ACL rules in VPCs are applied in an inverted
>>order (CLOUDSTACK-9404)
>>
>>Yes, we did the upgrade from 4.5.2 to 4.9.0
>>
>>
>>
>>
>>------ Mensaje original ------
>>De: "Simon Weller" <sw...@ena.com>
>>Para: "users@cloudstack.apache.org" <us...@cloudstack.apache.org>;
>>"David Amorín" <da...@adderglobal.com>
>>Enviado: 05/10/2016 18:11:26
>>Asunto: Re: Re[2]: Network ACL rules in VPCs are applied in an
>>inverted order (CLOUDSTACK-9404)
>>
>>>Was this an upgrade from an older release?
>>>
>>>
>>>
>>>--------------------------------------------------------------------------------
>>>From: David Amorín <da...@adderglobal.com>
>>>Sent: Wednesday, October 5, 2016 10:11 AM
>>>To:users@cloudstack.apache.org
>>>Subject: Re[2]: Network ACL rules in VPCs are applied in an inverted
>>>order (CLOUDSTACK-9404)
>>>
>>>We are running 4.9.0 and we are still facing the issues of the ACL
>>>Rules
>>>(CLOUDSTACK-9404)
>>>
>>>
>>>
>>>------ Mensaje original ------
>>>De: "Simon Weller" <sw...@ena.com>
>>>Para: "users@cloudstack.apache.org" <us...@cloudstack.apache.org>;
>>>"David Amorín" <da...@adderglobal.com>
>>>Enviado: 04/10/2016 18:02:22
>>>Asunto: Re: Network ACL rules in VPCs are applied in an inverted
>>>order
>>>(CLOUDSTACK-9404)
>>>
>>> >David,
>>> >
>>> >
>>> >What version are you currently running?
>>> >
>>> >
>>> >I believe 2 patches got into 4.9.0 related to this. #1581 and #1616.
>>> >
>>> >
>>> >At least #1581 was also merged into 4.8.x for the next point
>>>release.
>>> >
>>> >
>>> >- Si
>>> >
>>> >________________________________
>>> >From: David Amorín <da...@adderglobal.com>
>>> >Sent: Tuesday, October 4, 2016 10:47 AM
>>> >To: users@cloudstack.apache.org
>>> >Subject: Network ACL rules in VPCs are applied in an inverted order
>>> >(CLOUDSTACK-9404)
>>> >
>>> >Hi all,
>>> >I see this bug is already resolved
>>> >
>>> >https://issues.apache.org/jira/browse/CLOUDSTACK-9404
>>> >[CLOUDSTACK-9404] Network ACL rules in VPCs are applied in
>>> >...<https://issues.apache.org/jira/browse/CLOUDSTACK-9404>
>>> >issues.apache.org
>>> >Linked Applications. Loading... Dashboards
>>> >
>>> >
>>> >
>>> >
>>> >Do you know if will be available on 4.9.1?
>>> >
>>> >Thanks
>>> >
>>> >David
>>> >
>>> >
>>> >
>>> >
>>> >
>>>
Re[6]: Network ACL rules in VPCs are applied in an inverted order
(CLOUDSTACK-9404)
Posted by David Amorín <da...@adderglobal.com>.
Hi ,
I did a couple of tests more and i can confirm the issue
(CLOUDSTACK-9404) still happens with the version CS 4.9 using the VPC
router version 4.6
See an example:
I have an egress rules like following:
Rule number: 101CIDR: 8.8.8.8/32Action: Allow, Traffic Type:
EgressProtocol: ICMP, ICMPtype: -1, ICMPCode: -1
Then I add this rule:
Rule number: 1002CIDR: 0.0.0.0/0Action: Deny, Traffic Type:
EgressProtocol: ALL
Checking the VR, in file /etc/iptables/router_rules.v4, the rules are
applied in wrong order:
-A ACL_OUTBOUND_eth2 -d 224.0.0.18/32 -j ACCEPT
-A ACL_OUTBOUND_eth2 -d 225.0.0.50/32 -j ACCEPT
-A ACL_OUTBOUND_eth2 -j DROP
-A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j
ACCEPT
But then if i restart the VPC and clean up, I check again iptables and
now is correct order:
-A ACL_OUTBOUND_eth2 -d 224.0.0.18/32 -j ACCEPT
-A ACL_OUTBOUND_eth2 -d 225.0.0.50/32 -j ACCEPT
-A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j
ACCEPT
-A ACL_OUTBOUND_eth2 -j DROP
Is the VPC rotuer version 4.6 the latest one?
I really apprecciate if somebody else can confirm this issue
Best,
David
------ Mensaje original ------
De: "Simon Weller" <sw...@ena.com>
Para: "users@cloudstack.apache.org" <us...@cloudstack.apache.org>;
"David Amorín" <da...@adderglobal.com>
Enviado: 05/10/2016 18:35:48
Asunto: Re: Re[4]: Network ACL rules in VPCs are applied in an inverted
order (CLOUDSTACK-9404)
>Try doing a restart with network cleanup and see if that fixes your
>problem. The fixes are in the system iso and that will required a
>redeploy.
>
>
>
>- Si
>
>
>--------------------------------------------------------------------------------
>From: David Amorín <da...@adderglobal.com>
>Sent: Wednesday, October 5, 2016 11:18 AM
>To: Simon Weller; users@cloudstack.apache.org
>Subject: Re[4]: Network ACL rules in VPCs are applied in an inverted
>order (CLOUDSTACK-9404)
>
>Yes, we did the upgrade from 4.5.2 to 4.9.0
>
>
>
>
>------ Mensaje original ------
>De: "Simon Weller" <sw...@ena.com>
>Para: "users@cloudstack.apache.org" <us...@cloudstack.apache.org>;
>"David Amorín" <da...@adderglobal.com>
>Enviado: 05/10/2016 18:11:26
>Asunto: Re: Re[2]: Network ACL rules in VPCs are applied in an inverted
>order (CLOUDSTACK-9404)
>
>>Was this an upgrade from an older release?
>>
>>
>>
>>--------------------------------------------------------------------------------
>>From: David Amorín <da...@adderglobal.com>
>>Sent: Wednesday, October 5, 2016 10:11 AM
>>To:users@cloudstack.apache.org
>>Subject: Re[2]: Network ACL rules in VPCs are applied in an inverted
>>order (CLOUDSTACK-9404)
>>
>>We are running 4.9.0 and we are still facing the issues of the ACL
>>Rules
>>(CLOUDSTACK-9404)
>>
>>
>>
>>------ Mensaje original ------
>>De: "Simon Weller" <sw...@ena.com>
>>Para: "users@cloudstack.apache.org" <us...@cloudstack.apache.org>;
>>"David Amorín" <da...@adderglobal.com>
>>Enviado: 04/10/2016 18:02:22
>>Asunto: Re: Network ACL rules in VPCs are applied in an inverted order
>>(CLOUDSTACK-9404)
>>
>> >David,
>> >
>> >
>> >What version are you currently running?
>> >
>> >
>> >I believe 2 patches got into 4.9.0 related to this. #1581 and #1616.
>> >
>> >
>> >At least #1581 was also merged into 4.8.x for the next point release.
>> >
>> >
>> >- Si
>> >
>> >________________________________
>> >From: David Amorín <da...@adderglobal.com>
>> >Sent: Tuesday, October 4, 2016 10:47 AM
>> >To: users@cloudstack.apache.org
>> >Subject: Network ACL rules in VPCs are applied in an inverted order
>> >(CLOUDSTACK-9404)
>> >
>> >Hi all,
>> >I see this bug is already resolved
>> >
>> >https://issues.apache.org/jira/browse/CLOUDSTACK-9404
>> >[CLOUDSTACK-9404] Network ACL rules in VPCs are applied in
>> >...<https://issues.apache.org/jira/browse/CLOUDSTACK-9404>
>> >issues.apache.org
>> >Linked Applications. Loading... Dashboards
>> >
>> >
>> >
>> >
>> >Do you know if will be available on 4.9.1?
>> >
>> >Thanks
>> >
>> >David
>> >
>> >
>> >
>> >
>> >
>>
Re: Re[4]: Network ACL rules in VPCs are applied in an inverted order
(CLOUDSTACK-9404)
Posted by Simon Weller <sw...@ena.com>.
Try doing a restart with network cleanup and see if that fixes your problem. The fixes are in the system iso and that will required a redeploy.
- Si
________________________________
From: David Amorín <da...@adderglobal.com>
Sent: Wednesday, October 5, 2016 11:18 AM
To: Simon Weller; users@cloudstack.apache.org
Subject: Re[4]: Network ACL rules in VPCs are applied in an inverted order (CLOUDSTACK-9404)
Yes, we did the upgrade from 4.5.2 to 4.9.0
[cid:em420a885c-68e6-44f8-8471-9ededfd254f4@pcpaddgno010]
------ Mensaje original ------
De: "Simon Weller" <sw...@ena.com>>
Para: "users@cloudstack.apache.org" <us...@cloudstack.apache.org>>; "David Amorín" <da...@adderglobal.com>>
Enviado: 05/10/2016 18:11:26
Asunto: Re: Re[2]: Network ACL rules in VPCs are applied in an inverted order (CLOUDSTACK-9404)
Was this an upgrade from an older release?
________________________________
From: David Amorín <da...@adderglobal.com>>
Sent: Wednesday, October 5, 2016 10:11 AM
To: users@cloudstack.apache.org<ma...@cloudstack.apache.org>
Subject: Re[2]: Network ACL rules in VPCs are applied in an inverted order (CLOUDSTACK-9404)
We are running 4.9.0 and we are still facing the issues of the ACL Rules
(CLOUDSTACK-9404)
------ Mensaje original ------
De: "Simon Weller" <sw...@ena.com>>
Para: "users@cloudstack.apache.org<ma...@cloudstack.apache.org>" <us...@cloudstack.apache.org>>;
"David Amorín" <da...@adderglobal.com>>
Enviado: 04/10/2016 18:02:22
Asunto: Re: Network ACL rules in VPCs are applied in an inverted order
(CLOUDSTACK-9404)
>David,
>
>
>What version are you currently running?
>
>
>I believe 2 patches got into 4.9.0 related to this. #1581 and #1616.
>
>
>At least #1581 was also merged into 4.8.x for the next point release.
>
>
>- Si
>
>________________________________
>From: David Amorín <da...@adderglobal.com>>
>Sent: Tuesday, October 4, 2016 10:47 AM
>To: users@cloudstack.apache.org<ma...@cloudstack.apache.org>
>Subject: Network ACL rules in VPCs are applied in an inverted order
>(CLOUDSTACK-9404)
>
>Hi all,
>I see this bug is already resolved
>
>https://issues.apache.org/jira/browse/CLOUDSTACK-9404
>[CLOUDSTACK-9404] Network ACL rules in VPCs are applied in
>...<https://issues.apache.org/jira/browse/CLOUDSTACK-9404>
>issues.apache.org
>Linked Applications. Loading... Dashboards
>
>
>
>
>Do you know if will be available on 4.9.1?
>
>Thanks
>
>David
>
>
>
>
>
Re[4]: Network ACL rules in VPCs are applied in an inverted order
(CLOUDSTACK-9404)
Posted by David Amorín <da...@adderglobal.com>.
Yes, we did the upgrade from 4.5.2 to 4.9.0
------ Mensaje original ------
De: "Simon Weller" <sw...@ena.com>
Para: "users@cloudstack.apache.org" <us...@cloudstack.apache.org>;
"David Amorín" <da...@adderglobal.com>
Enviado: 05/10/2016 18:11:26
Asunto: Re: Re[2]: Network ACL rules in VPCs are applied in an inverted
order (CLOUDSTACK-9404)
>Was this an upgrade from an older release?
>
>
>
>--------------------------------------------------------------------------------
>From: David Amorín <da...@adderglobal.com>
>Sent: Wednesday, October 5, 2016 10:11 AM
>To:users@cloudstack.apache.org
>Subject: Re[2]: Network ACL rules in VPCs are applied in an inverted
>order (CLOUDSTACK-9404)
>
>We are running 4.9.0 and we are still facing the issues of the ACL
>Rules
>(CLOUDSTACK-9404)
>
>
>
>------ Mensaje original ------
>De: "Simon Weller" <sw...@ena.com>
>Para: "users@cloudstack.apache.org" <us...@cloudstack.apache.org>;
>"David Amorín" <da...@adderglobal.com>
>Enviado: 04/10/2016 18:02:22
>Asunto: Re: Network ACL rules in VPCs are applied in an inverted order
>(CLOUDSTACK-9404)
>
> >David,
> >
> >
> >What version are you currently running?
> >
> >
> >I believe 2 patches got into 4.9.0 related to this. #1581 and #1616.
> >
> >
> >At least #1581 was also merged into 4.8.x for the next point release.
> >
> >
> >- Si
> >
> >________________________________
> >From: David Amorín <da...@adderglobal.com>
> >Sent: Tuesday, October 4, 2016 10:47 AM
> >To: users@cloudstack.apache.org
> >Subject: Network ACL rules in VPCs are applied in an inverted order
> >(CLOUDSTACK-9404)
> >
> >Hi all,
> >I see this bug is already resolved
> >
> >https://issues.apache.org/jira/browse/CLOUDSTACK-9404
> >[CLOUDSTACK-9404] Network ACL rules in VPCs are applied in
> >...<https://issues.apache.org/jira/browse/CLOUDSTACK-9404>
> >issues.apache.org
> >Linked Applications. Loading... Dashboards
> >
> >
> >
> >
> >Do you know if will be available on 4.9.1?
> >
> >Thanks
> >
> >David
> >
> >
> >
> >
> >
>
Re: Re[2]: Network ACL rules in VPCs are applied in an inverted order
(CLOUDSTACK-9404)
Posted by Simon Weller <sw...@ena.com>.
Was this an upgrade from an older release?
________________________________
From: David Amorín <da...@adderglobal.com>
Sent: Wednesday, October 5, 2016 10:11 AM
To: users@cloudstack.apache.org
Subject: Re[2]: Network ACL rules in VPCs are applied in an inverted order (CLOUDSTACK-9404)
We are running 4.9.0 and we are still facing the issues of the ACL Rules
(CLOUDSTACK-9404)
------ Mensaje original ------
De: "Simon Weller" <sw...@ena.com>
Para: "users@cloudstack.apache.org" <us...@cloudstack.apache.org>;
"David Amorín" <da...@adderglobal.com>
Enviado: 04/10/2016 18:02:22
Asunto: Re: Network ACL rules in VPCs are applied in an inverted order
(CLOUDSTACK-9404)
>David,
>
>
>What version are you currently running?
>
>
>I believe 2 patches got into 4.9.0 related to this. #1581 and #1616.
>
>
>At least #1581 was also merged into 4.8.x for the next point release.
>
>
>- Si
>
>________________________________
>From: David Amorín <da...@adderglobal.com>
>Sent: Tuesday, October 4, 2016 10:47 AM
>To: users@cloudstack.apache.org
>Subject: Network ACL rules in VPCs are applied in an inverted order
>(CLOUDSTACK-9404)
>
>Hi all,
>I see this bug is already resolved
>
>https://issues.apache.org/jira/browse/CLOUDSTACK-9404
>[CLOUDSTACK-9404] Network ACL rules in VPCs are applied in
>...<https://issues.apache.org/jira/browse/CLOUDSTACK-9404>
>issues.apache.org
>Linked Applications. Loading... Dashboards
>
>
>
>
>Do you know if will be available on 4.9.1?
>
>Thanks
>
>David
>
>
>
>
>
Re[2]: Network ACL rules in VPCs are applied in an inverted order
(CLOUDSTACK-9404)
Posted by David Amorín <da...@adderglobal.com>.
We are running 4.9.0 and we are still facing the issues of the ACL Rules
(CLOUDSTACK-9404)
------ Mensaje original ------
De: "Simon Weller" <sw...@ena.com>
Para: "users@cloudstack.apache.org" <us...@cloudstack.apache.org>;
"David Amorín" <da...@adderglobal.com>
Enviado: 04/10/2016 18:02:22
Asunto: Re: Network ACL rules in VPCs are applied in an inverted order
(CLOUDSTACK-9404)
>David,
>
>
>What version are you currently running?
>
>
>I believe 2 patches got into 4.9.0 related to this. #1581 and #1616.
>
>
>At least #1581 was also merged into 4.8.x for the next point release.
>
>
>- Si
>
>________________________________
>From: David Amorín <da...@adderglobal.com>
>Sent: Tuesday, October 4, 2016 10:47 AM
>To: users@cloudstack.apache.org
>Subject: Network ACL rules in VPCs are applied in an inverted order
>(CLOUDSTACK-9404)
>
>Hi all,
>I see this bug is already resolved
>
>https://issues.apache.org/jira/browse/CLOUDSTACK-9404
>[CLOUDSTACK-9404] Network ACL rules in VPCs are applied in
>...<https://issues.apache.org/jira/browse/CLOUDSTACK-9404>
>issues.apache.org
>Linked Applications. Loading... Dashboards
>
>
>
>
>Do you know if will be available on 4.9.1?
>
>Thanks
>
>David
>
>
>
>
>
Re: Network ACL rules in VPCs are applied in an inverted order
(CLOUDSTACK-9404)
Posted by Simon Weller <sw...@ena.com>.
David,
What version are you currently running?
I believe 2 patches got into 4.9.0 related to this. #1581 and #1616.
At least #1581 was also merged into 4.8.x for the next point release.
- Si
________________________________
From: David Amorín <da...@adderglobal.com>
Sent: Tuesday, October 4, 2016 10:47 AM
To: users@cloudstack.apache.org
Subject: Network ACL rules in VPCs are applied in an inverted order (CLOUDSTACK-9404)
Hi all,
I see this bug is already resolved
https://issues.apache.org/jira/browse/CLOUDSTACK-9404
[CLOUDSTACK-9404] Network ACL rules in VPCs are applied in ...<https://issues.apache.org/jira/browse/CLOUDSTACK-9404>
issues.apache.org
Linked Applications. Loading... Dashboards
Do you know if will be available on 4.9.1?
Thanks
David
Network ACL rules in VPCs are applied in an inverted order (CLOUDSTACK-9404)
Posted by David Amorín <da...@adderglobal.com>.
Hi all,
I see this bug is already resolved
https://issues.apache.org/jira/browse/CLOUDSTACK-9404
Do you know if will be available on 4.9.1?
Thanks
David
Re: slow firewall
Posted by Simon Weller <sw...@ena.com>.
When I've seen something like this happen, there is a problem with the router script parsing an input and so it returns a failure and the router is restarted.
You might need to put the agent in debug so you can see what exactly is failing when it tries to inject rules into the VR.
4.8 has a bug like this for Private Gateway configs in VPCs. It is fixed in later versions.
- Si
________________________________
From: Janis Andersons | Failiem.lv <ja...@failiem.lv>
Sent: Friday, September 30, 2016 4:23 AM
To: users@cloudstack.apache.org
Subject: Re: slow firewall
Restart fails and router keeps rebooting. Also if I reboot router it
keeps rebooting. Then I need to remove all firewall rules and and
restart it with clean up option to get it work again.
Janis Andersons
http://serveri.failiem.lv
serveri.failiem.lv | virtualie privatie serveri<http://serveri.failiem.lv/>
serveri.failiem.lv
DROSA UN BOJAJUMPIECIETIGA APARATURA. Tiek dubleti diski un serveri, ka ari datu centri, pec pieprasijuma. Failiem.lv spej nodrosinat augstu noslodzi un ...
http://files.fm
[https://files.fm/images/files.fm_facebook_big2.jpg]<http://files.fm/>
Files.fm<http://files.fm/>
files.fm
Fast, Secure and Easy cloud file hosting, storage and safe sharing. FTP alternative. Free signup. Unlimited download traffic via torrents.
http://failiem.lv
[https://failiem.lv/images/failiem.lv_facebook.jpg]<http://failiem.lv/>
Failiem.lv: atra, erta un drosa failu glabasana vai apmaina<http://failiem.lv/>
failiem.lv
Atrs, dross un erts serviss failu un foto glabasanai vai apmainai. FTP alternativa. Bezmaksas registracija un failu glabasana. Neierobezots atrums un ...
mobile: +371 26606064
ja@failiem.lv
On 29.09.2016 23:32, Simon Weller wrote:
> What happens if you try and do a network restart with the cleanup option selected?
>
>
> ________________________________
> From: Janis Andersons | Failiem.lv <ja...@failiem.lv>
> Sent: Thursday, September 29, 2016 6:25 AM
> To: users@cloudstack.apache.org
> Subject: Re: slow firewall
>
> Also If I try to restart network it ends with: Failed to restart network
> management log files:
> 2016-09-29 14:21:18,486 DEBUG Seq 27-2522015791327480407: Processing:
> { Ans: , MgmtId: 95537004648, via: 27, Ver: v1, Flags: 10,
> [{"com.cloud.agent.api.Answer":{"result":false,"details":"Timed out in
> waiting SSH execution result","wait":0}}] }
> 2016-09-29 14:21:18,487 DEBUG ctx-d2b04874) (logid:93af951b) Seq
> 27-2522015791327480407: Received: { Ans: , MgmtId: 95537004648, via:
> 27(xs4.failiem.lv), Ver: v1, Flags: 10, { Answer } }
> 2016-09-29 14:21:18,487 WARN ctx-d2b04874) (logid:93af951b) Failed to
> re-program the network as a part of network Ntwk[248|Guest|67] implement
> due to aggregated commands execution failure!
> 2016-09-29 14:21:18,490 WARN ctx-d2b04874) (logid:93af951b) Failed to
> implement network Ntwk[248|Guest|67] elements and resources as a part of
> network restart due to
> com.cloud.exception.ResourceUnavailableException: Resource
> [DataCenter:9] to apply network rules as a part of network
> Ntwk[248|Guest|67] implement
>
> J. Andersons
>
> On 29.09.2016 14:08, Janis Andersons | Failiem.lv wrote:
>> Also adding Load balancer rules takes about 3 minutes.
>>
>>
>> On 29.09.2016 14:07, Janis Andersons | Failiem.lv wrote:
>>> I have total 20 firewall rules and 50 port forwarding rules for 12
>>> VMs and it takes more than 60 seconds to add new rule.
>>> If new IP is acquired adding new rule takes about 80 seconds even if
>>> there is no rules set for new IP.
>>> If I try to add multiple rules it takes much more time for first rule
>>> and sometimes another rules fails.
>>>
>>> Have tried to change service offering for router to 2 CPUs, 1GB ram
>>> but that doesn't help.
>>>
>>> Cloudstack 4.8, Xenserver, Shared Storage
>>> Virtual Router: Firewall, Vpn, Dhcp, SourceNat, PortForwarding, Lb,
>>> UserData, Dns.
>>>
>
Re: slow firewall
Posted by "Jānis Andersons | Failiem.lv" <ja...@failiem.lv>.
Restart fails and router keeps rebooting. Also if I reboot router it
keeps rebooting. Then I need to remove all firewall rules and and
restart it with clean up option to get it work again.
J\u0101nis Andersons
http://serveri.failiem.lv
http://files.fm
http://failiem.lv
mobile: +371 26606064
ja@failiem.lv
On 29.09.2016 23:32, Simon Weller wrote:
> What happens if you try and do a network restart with the cleanup option selected?
>
>
> ________________________________
> From: Janis Andersons | Failiem.lv <ja...@failiem.lv>
> Sent: Thursday, September 29, 2016 6:25 AM
> To: users@cloudstack.apache.org
> Subject: Re: slow firewall
>
> Also If I try to restart network it ends with: Failed to restart network
> management log files:
> 2016-09-29 14:21:18,486 DEBUG Seq 27-2522015791327480407: Processing:
> { Ans: , MgmtId: 95537004648, via: 27, Ver: v1, Flags: 10,
> [{"com.cloud.agent.api.Answer":{"result":false,"details":"Timed out in
> waiting SSH execution result","wait":0}}] }
> 2016-09-29 14:21:18,487 DEBUG ctx-d2b04874) (logid:93af951b) Seq
> 27-2522015791327480407: Received: { Ans: , MgmtId: 95537004648, via:
> 27(xs4.failiem.lv), Ver: v1, Flags: 10, { Answer } }
> 2016-09-29 14:21:18,487 WARN ctx-d2b04874) (logid:93af951b) Failed to
> re-program the network as a part of network Ntwk[248|Guest|67] implement
> due to aggregated commands execution failure!
> 2016-09-29 14:21:18,490 WARN ctx-d2b04874) (logid:93af951b) Failed to
> implement network Ntwk[248|Guest|67] elements and resources as a part of
> network restart due to
> com.cloud.exception.ResourceUnavailableException: Resource
> [DataCenter:9] to apply network rules as a part of network
> Ntwk[248|Guest|67] implement
>
> J. Andersons
>
> On 29.09.2016 14:08, Janis Andersons | Failiem.lv wrote:
>> Also adding Load balancer rules takes about 3 minutes.
>>
>>
>> On 29.09.2016 14:07, Janis Andersons | Failiem.lv wrote:
>>> I have total 20 firewall rules and 50 port forwarding rules for 12
>>> VMs and it takes more than 60 seconds to add new rule.
>>> If new IP is acquired adding new rule takes about 80 seconds even if
>>> there is no rules set for new IP.
>>> If I try to add multiple rules it takes much more time for first rule
>>> and sometimes another rules fails.
>>>
>>> Have tried to change service offering for router to 2 CPUs, 1GB ram
>>> but that doesn't help.
>>>
>>> Cloudstack 4.8, Xenserver, Shared Storage
>>> Virtual Router: Firewall, Vpn, Dhcp, SourceNat, PortForwarding, Lb,
>>> UserData, Dns.
>>>
>
Re: slow firewall
Posted by Simon Weller <sw...@ena.com>.
What happens if you try and do a network restart with the cleanup option selected?
________________________________
From: Janis Andersons | Failiem.lv <ja...@failiem.lv>
Sent: Thursday, September 29, 2016 6:25 AM
To: users@cloudstack.apache.org
Subject: Re: slow firewall
Also If I try to restart network it ends with: Failed to restart network
management log files:
2016-09-29 14:21:18,486 DEBUG Seq 27-2522015791327480407: Processing:
{ Ans: , MgmtId: 95537004648, via: 27, Ver: v1, Flags: 10,
[{"com.cloud.agent.api.Answer":{"result":false,"details":"Timed out in
waiting SSH execution result","wait":0}}] }
2016-09-29 14:21:18,487 DEBUG ctx-d2b04874) (logid:93af951b) Seq
27-2522015791327480407: Received: { Ans: , MgmtId: 95537004648, via:
27(xs4.failiem.lv), Ver: v1, Flags: 10, { Answer } }
2016-09-29 14:21:18,487 WARN ctx-d2b04874) (logid:93af951b) Failed to
re-program the network as a part of network Ntwk[248|Guest|67] implement
due to aggregated commands execution failure!
2016-09-29 14:21:18,490 WARN ctx-d2b04874) (logid:93af951b) Failed to
implement network Ntwk[248|Guest|67] elements and resources as a part of
network restart due to
com.cloud.exception.ResourceUnavailableException: Resource
[DataCenter:9] to apply network rules as a part of network
Ntwk[248|Guest|67] implement
J. Andersons
On 29.09.2016 14:08, Janis Andersons | Failiem.lv wrote:
> Also adding Load balancer rules takes about 3 minutes.
>
>
> On 29.09.2016 14:07, Janis Andersons | Failiem.lv wrote:
>> I have total 20 firewall rules and 50 port forwarding rules for 12
>> VMs and it takes more than 60 seconds to add new rule.
>> If new IP is acquired adding new rule takes about 80 seconds even if
>> there is no rules set for new IP.
>> If I try to add multiple rules it takes much more time for first rule
>> and sometimes another rules fails.
>>
>> Have tried to change service offering for router to 2 CPUs, 1GB ram
>> but that doesn't help.
>>
>> Cloudstack 4.8, Xenserver, Shared Storage
>> Virtual Router: Firewall, Vpn, Dhcp, SourceNat, PortForwarding, Lb,
>> UserData, Dns.
>>
>
Re: slow firewall
Posted by "Jānis Andersons | Failiem.lv" <ja...@failiem.lv>.
Also If I try to restart network it ends with: Failed to restart network
management log files:
2016-09-29 14:21:18,486 DEBUG Seq 27-2522015791327480407: Processing:
{ Ans: , MgmtId: 95537004648, via: 27, Ver: v1, Flags: 10,
[{"com.cloud.agent.api.Answer":{"result":false,"details":"Timed out in
waiting SSH execution result","wait":0}}] }
2016-09-29 14:21:18,487 DEBUG ctx-d2b04874) (logid:93af951b) Seq
27-2522015791327480407: Received: { Ans: , MgmtId: 95537004648, via:
27(xs4.failiem.lv), Ver: v1, Flags: 10, { Answer } }
2016-09-29 14:21:18,487 WARN ctx-d2b04874) (logid:93af951b) Failed to
re-program the network as a part of network Ntwk[248|Guest|67] implement
due to aggregated commands execution failure!
2016-09-29 14:21:18,490 WARN ctx-d2b04874) (logid:93af951b) Failed to
implement network Ntwk[248|Guest|67] elements and resources as a part of
network restart due to
com.cloud.exception.ResourceUnavailableException: Resource
[DataCenter:9] to apply network rules as a part of network
Ntwk[248|Guest|67] implement
J. Andersons
On 29.09.2016 14:08, J\u0101nis Andersons | Failiem.lv wrote:
> Also adding Load balancer rules takes about 3 minutes.
>
>
> On 29.09.2016 14:07, J\u0101nis Andersons | Failiem.lv wrote:
>> I have total 20 firewall rules and 50 port forwarding rules for 12
>> VMs and it takes more than 60 seconds to add new rule.
>> If new IP is acquired adding new rule takes about 80 seconds even if
>> there is no rules set for new IP.
>> If I try to add multiple rules it takes much more time for first rule
>> and sometimes another rules fails.
>>
>> Have tried to change service offering for router to 2 CPUs, 1GB ram
>> but that doesn't help.
>>
>> Cloudstack 4.8, Xenserver, Shared Storage
>> Virtual Router: Firewall, Vpn, Dhcp, SourceNat, PortForwarding, Lb,
>> UserData, Dns.
>>
>
Re: slow firewall
Posted by "Jānis Andersons | Failiem.lv" <ja...@failiem.lv>.
Also adding Load balancer rules takes about 3 minutes.
J\u0101nis Andersons
http://serveri.failiem.lv
http://files.fm
http://failiem.lv
mobile: +371 26606064
ja@failiem.lv
On 29.09.2016 14:07, J\u0101nis Andersons | Failiem.lv wrote:
> I have total 20 firewall rules and 50 port forwarding rules for 12 VMs
> and it takes more than 60 seconds to add new rule.
> If new IP is acquired adding new rule takes about 80 seconds even if
> there is no rules set for new IP.
> If I try to add multiple rules it takes much more time for first rule
> and sometimes another rules fails.
>
> Have tried to change service offering for router to 2 CPUs, 1GB ram
> but that doesn't help.
>
> Cloudstack 4.8, Xenserver, Shared Storage
> Virtual Router: Firewall, Vpn, Dhcp, SourceNat, PortForwarding, Lb,
> UserData, Dns.
>