error message found in diagnose all
13 views
Skip to first unread message
Vaishnavi Rajulu
Oct 9, 2024, 8:12:19 AM10/9/24
to submariner-users
Hi Guys,
I need to know what kind error is this. Because between gateway nodes I have allowed all the ports and no iptables blockage is there. Still the gateway connection status is in error. Please help to sort it out
✗ Checking gateway connections
✗ Connection to cluster "rke2" is not established. Connection details:
{
"status": "error",
"statusMessage": "Failed to successfully ping the remote endpoint IP \"10.42.1.0\"",
"endpoint": {
"cluster_id": "rke2",
"cable_name": "submariner-cable-rke2-115-x-x-x",
"healthCheckIP": "10.42.1.0",
"hostname": "k8-2",
"subnets": [
"10.43.0.0/16",
"10.42.0.0/16"
],
"private_ip": "115.x.x.x",
"public_ip": "115.x.x.x",
"nat_enabled": true,
"backend": "libreswan",
"backend_config": {
"natt-discovery-port": "4490",
"preferred-server": "false",
"udp-port": "4500"
}
},
"usingIP": "115.x.x.x",
"latencyRTT": {
"last": "0s",
"min": "0s",
"average": "0s",
"max": "0s",
"stdDev": "0s"
}
}
✓ Checking Submariner support for the kube-proxy mode
✓ The kube-proxy mode is supported
✗ Checking that firewall configuration allows intra-cluster VXLAN traffic
✗ The tcpdump output from the sniffer pod does not contain the client pod's IP. There seems to be some issue with the IPTable rules programmed on the "k8-worker2" node, Actual pod output:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on vx-submariner, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:38:42.129778 IP 240.92.113.165.29992 > 10.96.0.0.8080: Flags [S], seq 1357660456, win 64240, options [mss 1410,sackOK,TS val 2144627197 ecr 0,nop,wscale 7], length 0
11:38:43.136510 IP 240.92.113.165.29992 > 10.96.0.0.8080: Flags [S], seq 1357660456, win 64240, options [mss 1410,sackOK,TS val 2144628204 ecr 0,nop,wscale 7], length 0
11... (truncated)
✗ Checking gateway connections
✗ Connection to cluster "rke2" is not established. Connection details:
{
"status": "error",
"statusMessage": "Failed to successfully ping the remote endpoint IP \"10.42.1.0\"",
"endpoint": {
"cluster_id": "rke2",
"cable_name": "submariner-cable-rke2-115-x-x-x",
"healthCheckIP": "10.42.1.0",
"hostname": "k8-2",
"subnets": [
"10.43.0.0/16",
"10.42.0.0/16"
],
"private_ip": "115.x.x.x",
"public_ip": "115.x.x.x",
"nat_enabled": true,
"backend": "libreswan",
"backend_config": {
"natt-discovery-port": "4490",
"preferred-server": "false",
"udp-port": "4500"
}
},
"usingIP": "115.x.x.x",
"latencyRTT": {
"last": "0s",
"min": "0s",
"average": "0s",
"max": "0s",
"stdDev": "0s"
}
}
✓ Checking Submariner support for the kube-proxy mode
✓ The kube-proxy mode is supported
✗ Checking that firewall configuration allows intra-cluster VXLAN traffic
✗ The tcpdump output from the sniffer pod does not contain the client pod's IP. There seems to be some issue with the IPTable rules programmed on the "k8-worker2" node, Actual pod output:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on vx-submariner, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:38:42.129778 IP 240.92.113.165.29992 > 10.96.0.0.8080: Flags [S], seq 1357660456, win 64240, options [mss 1410,sackOK,TS val 2144627197 ecr 0,nop,wscale 7], length 0
11:38:43.136510 IP 240.92.113.165.29992 > 10.96.0.0.8080: Flags [S], seq 1357660456, win 64240, options [mss 1410,sackOK,TS val 2144628204 ecr 0,nop,wscale 7], length 0
11... (truncated)
Yossi Boaron
Oct 9, 2024, 11:10:03 AM10/9/24
to Vaishnavi Rajulu, submariner-users
Hi Vaishnavi,
For CNIs other than OVN-K Submariner uses UDP port 4800 to encapsulate Pod traffic from worker and master nodes to the Gateway nodes. you need to ensure that firewall configuration allows 4800/UDP across all nodes in the cluster in both directions.
Regards
Yossi
--
You received this message because you are subscribed to the Google Groups "submariner-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to submariner-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/submariner-users/5d892af0-24ed-471f-9578-d119623991f9n%40googlegroups.com.
Vaishnavi Rajulu
Oct 10, 2024, 1:06:01 AM10/10/24
to submariner-users
Hi Guys,
For CNIs other than OVN-K S
ubmariner uses UDP port 4800 to encapsulate Pod traffic from worker and master nodes to the Gateway nodes. you need to ensure that firewall configuration allows 4800/UDP across all nodes in the cluster in both directions.
I have allowed port 4800/UDP along all the directions in my kubernetes clusters. But still I get this. Can you give more specific troubleshooting steps.
I have allowed port 4800/UDP along all the directions in my kubernetes clusters. But still I get this. Can you give more specific troubleshooting steps.
Reply all
Reply to author
Forward
0 new messages