Closed
Bug 1227710
Opened 9 years ago
Closed 9 years ago
Cannot access xiph1.community.scl3.mozilla.com from scl3 vpn
Categories
(Infrastructure & Operations :: Infrastructure: OpenVPN, task)
Infrastructure & Operations
Infrastructure: OpenVPN
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: rillian, Assigned: jabba)
Details
I used to be able to ssh to xiph1.community.scl3.mozilla.com over openvpn.scl3.mozilla.com, but it no longer seems to work. Can you please help me regain access.
Bouncing through the jumphost works, so it's not an issue with the machine itself.
My ldap is rgiles@mozilla.com.
Assignee | ||
Comment 2•9 years ago
|
||
:dcurado - is this a supported flow for either ssh.mozilla.com or vpn clients to reach? If so, then I think I just need to add a route and an ACL to the vpn and ldap group config.
Flags: needinfo?(dcurado)
Comment 3•9 years ago
|
||
The policy on the firewall allows anything to go through.
So I have no idea why Ralph would be blocked.
HTHs,
Dave
dcurado@fw1.ops.scl3.mozilla.net> show security policies from-zone corpdmz to-zone community
node1:
--------------------------------------------------------------------------
From zone: corpdmz, To zone: community
Policy: VPN--ANY, State: enabled, Index: 910, Scope Policy: 0, Sequence number: 1
Source addresses: vpn.corpdmz.scl3--net, openvpn1.corpdmz.scl3, openvpn1.stage.corpdmz.scl3, ssh1.corpdmz.scl3,
ssh1.stage.corpdmz.scl3
Destination addresses: any
Applications: any
Action: permit
Assignee | ||
Comment 4•9 years ago
|
||
Ah, I see the problem. We've commented out the route for the community vlan in the openvpn routing table:
jabba@JabbaBookPro:~/svn/puppet/trunk/manifests/nodes> svn log -v -r 84355
------------------------------------------------------------------------
r84355 | rsoderberg@mozilla.com | 2014-03-13 14:14:18 -0700 (Thu, 13 Mar 2014) | 1 line
Changed paths:
M /puppet/trunk/manifests/nodes/openvpn.pp
openvpn: comment out community.scl3 route until we can fix callek
Needinfo :atoll and :Callek for more info on this. I'm guessing it's no longer relevant, but want to make sure before adding it back. I believe if all is good, then we can simply add that route back and things will work, as there is already a vpn_community group with proper ACLs, of which Ralph is a member.
Flags: needinfo?(rsoderberg)
Flags: needinfo?(dcurado)
Flags: needinfo?(bugspam.Callek)
Comment 5•9 years ago
|
||
I don't remember which bug this was from offhand, but I *think* it was because when I was on the VPN I couldn't access the bugzilla staging/dev servers (via http even!) due to it trying to route through the VPN and things not liking it that way.
Flags: needinfo?(bugspam.Callek)
I remember! We tried to ship the route on a day that Callek was having Windows VPN issues, and since it was a release week, there was no time to troubleshoot.
Callek, I assume if this causes issues for you, the next couple days are an acceptable time to troubleshoot?
Flags: needinfo?(rsoderberg)
Comment 7•9 years ago
|
||
(In reply to Richard Soderberg [:atoll] from comment #6)
> I remember! We tried to ship the route on a day that Callek was having
> Windows VPN issues, and since it was a release week, there was no time to
> troubleshoot.
>
> Callek, I assume if this causes issues for you, the next couple days are an
> acceptable time to troubleshoot?
I'm not actively using the bmo staging servers atm, and over the next few weeks if there is *any* vpn issues I don't feel ashamed to troubleshoot as necessary. So "proceed without worry for me"
Assignee | ||
Comment 8•9 years ago
|
||
I've uncommented that route. :rillian, let me know if that solves the issue. :Callek let me know if this breaks anything for you.
The change probably won't be live for up to an hour after this bug comment.
Assignee: infra → jdow
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(cshields)
Resolution: --- → FIXED
Comment 9•9 years ago
|
||
I can no longer access landfill.bugzilla.org via the VPN. It's attempting to route me through the VPN to get to it, and it's unreachable via the VPN. It's on a public IP so I shouldn't need to go through the VPN to get to it?
Comment 10•9 years ago
|
||
(In reply to Dave Miller [:justdave] (justdave@bugzilla.org) from comment #9)
> I can no longer access landfill.bugzilla.org via the VPN. It's attempting
> to route me through the VPN to get to it, and it's unreachable via the VPN.
> It's on a public IP so I shouldn't need to go through the VPN to get to it?
+1 to adding community VLAN to the vpn_default ACL list.
Assignee | ||
Comment 11•9 years ago
|
||
(In reply to Richard Soderberg [:atoll] from comment #10)
> (In reply to Dave Miller [:justdave] (justdave@bugzilla.org) from comment #9)
> > I can no longer access landfill.bugzilla.org via the VPN. It's attempting
> > to route me through the VPN to get to it, and it's unreachable via the VPN.
> > It's on a public IP so I shouldn't need to go through the VPN to get to it?
>
> +1 to adding community VLAN to the vpn_default ACL list.
I've added it, which should fix Dave's issue.
You need to log in
before you can comment on or make changes to this bug.
Description
•