You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Cloud List <cl...@sg.or.id> on 2016/11/06 10:16:35 UTC
Site 2 Site VPN on VPC not working after upgrading ACS from 4.2 to 4.8.1.1
Hi,
Another issue we noted after upgrading ACS from 4.2 to 4.8.1.1 is that
site-to-site VPN is not working. From GUI, I cannot even go to Home >
Network > Select view: VPN customer gateway with below error messages shown
on the GUI:
====
Caught: com.mysql.jdbc.JDBC4PreparedStatement@45ae1e69: SELECT
s2s_customer_gateway.id, s2s_customer_gateway.uuid,
s2s_customer_gateway.name, s2s_customer_gateway.gateway_ip,
s2s_customer_gateway.guest_cidr_list, s2s_customer_gateway.ipsec_psk,
s2s_customer_gateway.ike_policy, s2s_customer_gateway.esp_policy,
s2s_customer_gateway.ike_lifetime, s2s_customer_gateway.esp_lifetime,
s2s_customer_gateway.dpd, s2s_customer_gateway.force_encap,
s2s_customer_gateway.domain_id, s2s_customer_gateway.account_id,
s2s_customer_gateway.removed FROM s2s_customer_gateway INNER JOIN account
ON s2s_customer_gateway.account_id=account.id WHERE
s2s_customer_gateway.removed IS NULL AND (account.type != 5 ) ORDER BY
s2s_customer_gateway.id DESC LIMIT 0, 20
====
This is the error messages on CloudStack management server:
====
2016-11-06 18:00:30,218 DEBUG [c.c.u.c.DBEncryptionUtil]
(http-8080-2:ctx-da483727 ctx-695addac) (logid:3d3a6225) Error while
decrypting: XXXXXXXX
2016-11-06 18:00:30,218 ERROR [c.c.a.ApiServer] (http-8080-2:ctx-da483727
ctx-695addac) (logid:3d3a6225) unhandled exception executing api command:
[Ljava.lang.String;@
6ad8a1d4
com.cloud.utils.exception.CloudRuntimeException: Caught:
com.mysql.jdbc.JDBC4PreparedStatement@55edbe9c: SELECT
s2s_customer_gateway.id, s2s_customer_gateway.uuid, s2s_
customer_gateway.name, s2s_customer_gateway.gateway_ip,
s2s_customer_gateway.guest_cidr_list, s2s_customer_gateway.ipsec_psk,
s2s_customer_gateway.ike_policy, s2s_custo
mer_gateway.esp_policy, s2s_customer_gateway.ike_lifetime,
s2s_customer_gateway.esp_lifetime, s2s_customer_gateway.dpd,
s2s_customer_gateway.force_encap, s2s_customer_g
ateway.domain_id, s2s_customer_gateway.account_id,
s2s_customer_gateway.removed FROM s2s_customer_gateway INNER JOIN account
ON s2s_customer_gateway.account_id=account
.id WHERE s2s_customer_gateway.removed IS NULL AND (account.type != 5 )
ORDER BY s2s_customer_gateway.id DESC LIMIT 0, 20
====
Note that on "Error while decrypting: XXXXXXXX", I checked that XXXXXXXX is
the cleartext IPsec preshared key (ipsec_psk field on s2s_customer_gateway
table on the database). It seems that CloudStack tries to decrypt a
clear-text / non-encrypted password? Does the ipsec_psk field on the
database supposed to store the encrypted IPsec pre-shared key for the VPN
connection under CloudStack version 4.8.1.1?
I am able to execute the SELECT command on the database directly without
any issues.
Any help is greatly appreciated.
Thank you.
Re: Site 2 Site VPN on VPC not working after upgrading ACS from 4.2
to 4.8.1.1
Posted by Cloud List <cl...@sg.or.id>.
Hi,
[RESOLVED] Would like to share that I managed to find the workaround to the
problem by emptying the password ipsec_psk field on the entry inside
s2s_customer_gateway table, delete the VPN connection, modify the VPN
customer gateway with the new password (we will notice that the encrypted
format of the password will be populated into the ipsec_psk field), and
then recreate the VPN connection. The VPN connection will then be
established.
Hope the above can help others.
Thank you.
On Sun, Nov 6, 2016 at 6:16 PM, Cloud List <cl...@sg.or.id> wrote:
> Hi,
>
> Another issue we noted after upgrading ACS from 4.2 to 4.8.1.1 is that
> site-to-site VPN is not working. From GUI, I cannot even go to Home >
> Network > Select view: VPN customer gateway with below error messages shown
> on the GUI:
>
> ====
> Caught: com.mysql.jdbc.JDBC4PreparedStatement@45ae1e69: SELECT
> s2s_customer_gateway.id, s2s_customer_gateway.uuid,
> s2s_customer_gateway.name, s2s_customer_gateway.gateway_ip,
> s2s_customer_gateway.guest_cidr_list, s2s_customer_gateway.ipsec_psk,
> s2s_customer_gateway.ike_policy, s2s_customer_gateway.esp_policy,
> s2s_customer_gateway.ike_lifetime, s2s_customer_gateway.esp_lifetime,
> s2s_customer_gateway.dpd, s2s_customer_gateway.force_encap,
> s2s_customer_gateway.domain_id, s2s_customer_gateway.account_id,
> s2s_customer_gateway.removed FROM s2s_customer_gateway INNER JOIN account
> ON s2s_customer_gateway.account_id=account.id WHERE
> s2s_customer_gateway.removed IS NULL AND (account.type != 5 ) ORDER BY
> s2s_customer_gateway.id DESC LIMIT 0, 20
> ====
>
> This is the error messages on CloudStack management server:
>
> ====
> 2016-11-06 18:00:30,218 DEBUG [c.c.u.c.DBEncryptionUtil]
> (http-8080-2:ctx-da483727 ctx-695addac) (logid:3d3a6225) Error while
> decrypting: XXXXXXXX
> 2016-11-06 18:00:30,218 ERROR [c.c.a.ApiServer] (http-8080-2:ctx-da483727
> ctx-695addac) (logid:3d3a6225) unhandled exception executing api command:
> [Ljava.lang.String;@
> 6ad8a1d4
> com.cloud.utils.exception.CloudRuntimeException: Caught: com.mysql.jdbc.
> JDBC4PreparedStatement@55edbe9c: SELECT s2s_customer_gateway.id,
> s2s_customer_gateway.uuid, s2s_
> customer_gateway.name, s2s_customer_gateway.gateway_ip,
> s2s_customer_gateway.guest_cidr_list, s2s_customer_gateway.ipsec_psk,
> s2s_customer_gateway.ike_policy, s2s_custo
> mer_gateway.esp_policy, s2s_customer_gateway.ike_lifetime,
> s2s_customer_gateway.esp_lifetime, s2s_customer_gateway.dpd,
> s2s_customer_gateway.force_encap, s2s_customer_g
> ateway.domain_id, s2s_customer_gateway.account_id,
> s2s_customer_gateway.removed FROM s2s_customer_gateway INNER JOIN account
> ON s2s_customer_gateway.account_id=account
> .id WHERE s2s_customer_gateway.removed IS NULL AND (account.type != 5 )
> ORDER BY s2s_customer_gateway.id DESC LIMIT 0, 20
> ====
>
> Note that on "Error while decrypting: XXXXXXXX", I checked that XXXXXXXX
> is the cleartext IPsec preshared key (ipsec_psk field on
> s2s_customer_gateway table on the database). It seems that CloudStack tries
> to decrypt a clear-text / non-encrypted password? Does the ipsec_psk field
> on the database supposed to store the encrypted IPsec pre-shared key for
> the VPN connection under CloudStack version 4.8.1.1?
>
> I am able to execute the SELECT command on the database directly without
> any issues.
>
> Any help is greatly appreciated.
>
> Thank you.
>
Re: Site 2 Site VPN on VPC not working after upgrading ACS from 4.2
to 4.8.1.1
Posted by Cloud List <cl...@sg.or.id>.
Hi,
[RESOLVED] Would like to share that I managed to find the workaround to the
problem by emptying the password ipsec_psk field on the entry inside
s2s_customer_gateway table, delete the VPN connection, modify the VPN
customer gateway with the new password (we will notice that the encrypted
format of the password will be populated into the ipsec_psk field), and
then recreate the VPN connection. The VPN connection will then be
established.
Hope the above can help others.
Thank you.
On Sun, Nov 6, 2016 at 6:16 PM, Cloud List <cl...@sg.or.id> wrote:
> Hi,
>
> Another issue we noted after upgrading ACS from 4.2 to 4.8.1.1 is that
> site-to-site VPN is not working. From GUI, I cannot even go to Home >
> Network > Select view: VPN customer gateway with below error messages shown
> on the GUI:
>
> ====
> Caught: com.mysql.jdbc.JDBC4PreparedStatement@45ae1e69: SELECT
> s2s_customer_gateway.id, s2s_customer_gateway.uuid,
> s2s_customer_gateway.name, s2s_customer_gateway.gateway_ip,
> s2s_customer_gateway.guest_cidr_list, s2s_customer_gateway.ipsec_psk,
> s2s_customer_gateway.ike_policy, s2s_customer_gateway.esp_policy,
> s2s_customer_gateway.ike_lifetime, s2s_customer_gateway.esp_lifetime,
> s2s_customer_gateway.dpd, s2s_customer_gateway.force_encap,
> s2s_customer_gateway.domain_id, s2s_customer_gateway.account_id,
> s2s_customer_gateway.removed FROM s2s_customer_gateway INNER JOIN account
> ON s2s_customer_gateway.account_id=account.id WHERE
> s2s_customer_gateway.removed IS NULL AND (account.type != 5 ) ORDER BY
> s2s_customer_gateway.id DESC LIMIT 0, 20
> ====
>
> This is the error messages on CloudStack management server:
>
> ====
> 2016-11-06 18:00:30,218 DEBUG [c.c.u.c.DBEncryptionUtil]
> (http-8080-2:ctx-da483727 ctx-695addac) (logid:3d3a6225) Error while
> decrypting: XXXXXXXX
> 2016-11-06 18:00:30,218 ERROR [c.c.a.ApiServer] (http-8080-2:ctx-da483727
> ctx-695addac) (logid:3d3a6225) unhandled exception executing api command:
> [Ljava.lang.String;@
> 6ad8a1d4
> com.cloud.utils.exception.CloudRuntimeException: Caught: com.mysql.jdbc.
> JDBC4PreparedStatement@55edbe9c: SELECT s2s_customer_gateway.id,
> s2s_customer_gateway.uuid, s2s_
> customer_gateway.name, s2s_customer_gateway.gateway_ip,
> s2s_customer_gateway.guest_cidr_list, s2s_customer_gateway.ipsec_psk,
> s2s_customer_gateway.ike_policy, s2s_custo
> mer_gateway.esp_policy, s2s_customer_gateway.ike_lifetime,
> s2s_customer_gateway.esp_lifetime, s2s_customer_gateway.dpd,
> s2s_customer_gateway.force_encap, s2s_customer_g
> ateway.domain_id, s2s_customer_gateway.account_id,
> s2s_customer_gateway.removed FROM s2s_customer_gateway INNER JOIN account
> ON s2s_customer_gateway.account_id=account
> .id WHERE s2s_customer_gateway.removed IS NULL AND (account.type != 5 )
> ORDER BY s2s_customer_gateway.id DESC LIMIT 0, 20
> ====
>
> Note that on "Error while decrypting: XXXXXXXX", I checked that XXXXXXXX
> is the cleartext IPsec preshared key (ipsec_psk field on
> s2s_customer_gateway table on the database). It seems that CloudStack tries
> to decrypt a clear-text / non-encrypted password? Does the ipsec_psk field
> on the database supposed to store the encrypted IPsec pre-shared key for
> the VPN connection under CloudStack version 4.8.1.1?
>
> I am able to execute the SELECT command on the database directly without
> any issues.
>
> Any help is greatly appreciated.
>
> Thank you.
>