Guys can You help with https://bugs.launchpad.net/neutron/+bug/2088286 Hello We are deploying OpenStack/Neturon with OVN, BGP (ovn-bgp-agent) and VPNaaS and we encountered a problem - because of incomplete configuration of VPN services external port bgp agent isn't announcing it's address. Summary: external port created by neutron-vpnaas with ovn plugin/driver is not fully/properly configured and because of this ovn-bgp-agent won't announce/publish/configure routing path for this address. $ /var/lib/kolla/venv/bin/neutron-ovn-vpn-agent --version neutron-ovn-vpn-agent 24.0.2.dev42 $ openstack network show public1 +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | UP | | availability_zone_hints | | | availability_zones | | | created_at | 2024-09-06T15:48:18Z | | description | | | dns_domain | None | | id | ad8c81c1-08fd-4503-833f-912675d1c6d8 | | ipv4_address_scope | None | | ipv6_address_scope | None | | is_default | False | | is_vlan_transparent | None | | mtu | 1500 | | name | public1 | | port_security_enabled | True | | project_id | 0cfa2dc8d9024b7fa0462a9be5d8b832 | | provider:network_type | vlan | | provider:physical_network | physnet1 | | provider:segmentation_id | 2 | | qos_policy_id | None | | revision_number | 2 | | router:external | External | | segments | None | | shared | True | | status | ACTIVE | | subnets | 306ea02d-a5ec-4c1b-bd2f-bff1a88750d6 | | tags | | | tenant_id | 0cfa2dc8d9024b7fa0462a9be5d8b832 | | updated_at | 2024-09-06T15:48:19Z | +---------------------------+--------------------------------------+ $ openstack subnet show 306ea02d-a5ec-4c1b-bd2f-bff1a88750d6 +----------------------+--------------------------------------+ | Field | Value | +----------------------+--------------------------------------+ | allocation_pools | 203.0.113.226-203.0.113.254 | | cidr | 203.0.113.224/27 | | created_at | 2024-09-06T15:48:19Z | | description | | | dns_nameservers | | | dns_publish_fixed_ip | None | | enable_dhcp | False | | gateway_ip | 203.0.113.225 | | host_routes | | | id | 306ea02d-a5ec-4c1b-bd2f-bff1a88750d6 | | ip_version | 4 | | ipv6_address_mode | None | | ipv6_ra_mode | None | | name | public1 | | network_id | ad8c81c1-08fd-4503-833f-912675d1c6d8 | | project_id | 0cfa2dc8d9024b7fa0462a9be5d8b832 | | revision_number | 0 | | segment_id | None | | service_types | | | subnetpool_id | None | | tags | | | updated_at | 2024-09-06T15:48:19Z | +----------------------+--------------------------------------+ $ openstack port list --network ad8c81c1-08fd-4503-833f-912675d1c6d8 --long +--------------------------------------+---------------------------------------------+-------------------+------------------------------------------------------------------------------+--------+-----------------+----------------------------+------+ | ID | Name | MAC Address | Fixed IP Addresses | Status | Security Groups | Device Owner | Tags | +--------------------------------------+---------------------------------------------+-------------------+------------------------------------------------------------------------------+--------+-----------------+----------------------------+------+ | 1dc2b248-1d21-44ff-923f-2405f9f28f4e | | fa:16:3e:3e:97:10 | ip_address='203.0.113.228', subnet_id='306ea02d-a5ec-4c1b-bd2f-bff1a88750d6' | N/A | None | network:floatingip | | | 71a1d9eb-11bb-4278-979b-6a1d83e87ecc | | fa:16:3e:15:5e:b5 | ip_address='203.0.113.229', subnet_id='306ea02d-a5ec-4c1b-bd2f-bff1a88750d6' | ACTIVE | None | network:router_gateway | | | 7398b975-552a-408f-8289-25e52d5cb8fc | | fa:16:3e:e7:dd:5d | ip_address='203.0.113.252', subnet_id='306ea02d-a5ec-4c1b-bd2f-bff1a88750d6' | ACTIVE | None | network:router_gateway | | | ccbb42e0-3258-4ade-a5e6-c873ca0530b7 | | fa:16:3e:97:9d:d7 | | DOWN | None | network:distributed | | | e6a43606-2ea3-4967-9aa2-967c800cbdbe | | fa:16:3e:4e:e9:d8 | ip_address='203.0.113.243', subnet_id='306ea02d-a5ec-4c1b-bd2f-bff1a88750d6' | ACTIVE | None | network:router_gateway | | +--------------------------------------+---------------------------------------------+-------------------+------------------------------------------------------------------------------+--------+-----------------+----------------------------+------+ $ openstack vpn service create --router router_vpn test_vpn_service +----------------+--------------------------------------+ | Field | Value | +----------------+--------------------------------------+ | Description | | | Flavor | None | | ID | 0d8436f0-6cc5-4af5-84f7-10b54ac99784 | | Name | test_vpn_service | | Project | 0cfa2dc8d9024b7fa0462a9be5d8b832 | | Router | 30e448d5-078e-40fe-9418-901f8195b6cb | | State | True | | Status | PENDING_CREATE | | Subnet | None | | external_v4_ip | 203.0.113.246 | | external_v6_ip | None | | project_id | 0cfa2dc8d9024b7fa0462a9be5d8b832 | +----------------+--------------------------------------+ $ openstack vpn ipsec site connection create --peer-id 1.2.3.4 --peer-address 1.2.3.4 --psk 1234 --vpnservice test_vpn_service --ikepolicy ikepolicy --ipsecpolicy ipsecpolicy test_vpn_tunnel --peer-endpoint-group west-peer-epg --local-endpoint-group local_network +--------------------------+----------------------------------------------------+ | Field | Value | +--------------------------+----------------------------------------------------+ | Authentication Algorithm | psk | | Description | | | ID | ca7f63dc-685f-4f9d-bc23-47c7b5b1c577 | | IKE Policy | 1457dc12-c1ec-4574-8985-9e93dcf06f56 | | IPSec Policy | c68d172f-220f-455c-b46c-b9ff8b9e46e4 | | Initiator | bi-directional | | Local Endpoint Group ID | 0f7f645c-8ae9-4dc8-a286-40afabbc2dd7 | | Local ID | | | MTU | 1500 | | Name | test_vpn_tunnel | | Peer Address | 1.2.3.4 | | Peer CIDRs | | | Peer Endpoint Group ID | 842cc6e8-d124-4258-b9d8-8b901d06cd97 | | Peer ID | 1.2.3.4 | | Pre-shared Key | 1234 | | Project | 0cfa2dc8d9024b7fa0462a9be5d8b832 | | Route Mode | static | | State | True | | Status | PENDING_CREATE | | VPN Service | 0d8436f0-6cc5-4af5-84f7-10b54ac99784 | | dpd | {'action': 'hold', 'interval': 30, 'timeout': 120} | | project_id | 0cfa2dc8d9024b7fa0462a9be5d8b832 | +--------------------------+----------------------------------------------------+ $ openstack port list --network ad8c81c1-08fd-4503-833f-912675d1c6d8 --long +--------------------------------------+---------------------------------------------+-------------------+------------------------------------------------------------------------------+--------+-----------------+----------------------------+------+ | ID | Name | MAC Address | Fixed IP Addresses | Status | Security Groups | Device Owner | Tags | +--------------------------------------+---------------------------------------------+-------------------+------------------------------------------------------------------------------+--------+-----------------+----------------------------+------+ | 1dc2b248-1d21-44ff-923f-2405f9f28f4e | | fa:16:3e:3e:97:10 | ip_address='203.0.113.228', subnet_id='306ea02d-a5ec-4c1b-bd2f-bff1a88750d6' | N/A | None | network:floatingip | | | 3d2dbb2a-b004-4955-a4ca-4d4a88d2f702 | vpn-gw-30e448d5-078e-40fe-9418-901f8195b6cb | fa:16:3e:e5:e0:69 | ip_address='203.0.113.246', subnet_id='306ea02d-a5ec-4c1b-bd2f-bff1a88750d6' | ACTIVE | None | network:vpn_router_gateway | | | 71a1d9eb-11bb-4278-979b-6a1d83e87ecc | | fa:16:3e:15:5e:b5 | ip_address='203.0.113.229', subnet_id='306ea02d-a5ec-4c1b-bd2f-bff1a88750d6' | ACTIVE | None | network:router_gateway | | | 7398b975-552a-408f-8289-25e52d5cb8fc | | fa:16:3e:e7:dd:5d | ip_address='203.0.113.252', subnet_id='306ea02d-a5ec-4c1b-bd2f-bff1a88750d6' | ACTIVE | None | network:router_gateway | | | ccbb42e0-3258-4ade-a5e6-c873ca0530b7 | | fa:16:3e:97:9d:d7 | | DOWN | None | network:distributed | | | e6a43606-2ea3-4967-9aa2-967c800cbdbe | | fa:16:3e:4e:e9:d8 | ip_address='203.0.113.243', subnet_id='306ea02d-a5ec-4c1b-bd2f-bff1a88750d6' | ACTIVE | None | network:router_gateway | | +--------------------------------------+---------------------------------------------+-------------------+------------------------------------------------------------------------------+--------+-----------------+----------------------------+------+ routing table on gateway/network node: 203.0.113.228 dev vrf1d63891f-e7 scope link 203.0.113.243 dev vrf1d63891f-e7 scope link 203.0.113.252 dev vrf1d63891f-e7 scope link 203.0.113.229 dev vrf1d63891f-e7 scope link $ ovn-nbctl lsp-list `ovn-nbctl ls-list | grep ad8c81c1-08fd-4503-833f-912675d1c6d8 | cut -f1 -d\ ` | while read a b; do echo -n "$b "; ovn-nbctl lsp-get-addresses $a; done (3d2dbb2a-b004-4955-a4ca-4d4a88d2f702) unknown (71a1d9eb-11bb-4278-979b-6a1d83e87ecc) fa:16:3e:15:5e:b5 203.0.113.229/27 (7398b975-552a-408f-8289-25e52d5cb8fc) fa:16:3e:e7:dd:5d 203.0.113.252/27 (ccbb42e0-3258-4ade-a5e6-c873ca0530b7) fa:16:3e:97:9d:d7 (e6a43606-2ea3-4967-9aa2-967c800cbdbe) fa:16:3e:4e:e9:d8 203.0.113.243/27 (provnet-5aa931a9-ac56-4144-ab7d-c61819a46c2a) unknown 3d2dbb2a-b004-4955-a4ca-4d4a88d2f702 (vpn-gw-30e448d5-078e-40fe-9418-901f8195b6cb) stands out from other ports, has no addresses $ ovn-nbctl lsp-set-addresses 3d2dbb2a-b004-4955-a4ca-4d4a88d2f702 "fa:16:3e:e5:e0:69 203.0.113.246/27" $ ovn-nbctl lsp-list `ovn-nbctl ls-list | grep ad8c81c1-08fd-4503-833f-912675d1c6d8 | cut -f1 -d\ ` | while read a b; do echo -n "$b "; ovn-nbctl lsp-get-addresses $a; done (3d2dbb2a-b004-4955-a4ca-4d4a88d2f702) fa:16:3e:e5:e0:69 203.0.113.246/27 (71a1d9eb-11bb-4278-979b-6a1d83e87ecc) fa:16:3e:15:5e:b5 203.0.113.229/27 (7398b975-552a-408f-8289-25e52d5cb8fc) fa:16:3e:e7:dd:5d 203.0.113.252/27 (ccbb42e0-3258-4ade-a5e6-c873ca0530b7) fa:16:3e:97:9d:d7 (e6a43606-2ea3-4967-9aa2-967c800cbdbe) fa:16:3e:4e:e9:d8 203.0.113.243/27 (provnet-5aa931a9-ac56-4144-ab7d-c61819a46c2a) unknown routing table after: 203.0.113.228 dev vrf1d63891f-e7 scope link 203.0.113.243 dev vrf1d63891f-e7 scope link 203.0.113.246 dev vrf1d63891f-e7 scope link 203.0.113.252 dev vrf1d63891f-e7 scope link 203.0.113.229 dev vrf1d63891f-e7 scope link And now it's possible for tunnel to connect. I tried to identify code of ovn driver/plugin in neutron-vpnaas responsible for external port allocation, but I wasn't able to find it. --