can't connect to build.mozilla.org when VPNed in to MV office VPN

RESOLVED FIXED

Status

Infrastructure & Operations
NetOps
RESOLVED FIXED
7 years ago
5 years ago

People

(Reporter: dbaron, Assigned: justdave)

Tracking

other
All
Other
Bug Flags:
needs-downtime +

Details

(Whiteboard: [02/08/2011 @ 7pm])

(Reporter)

Description

7 years ago
I thought there was a bug on this, but I can't find it, so I'm filing.

When I connect to the mountain view office VPN from home (with the "Use this connection only for resources on its network" option in my VPN configuration), I'm unable to connect to http://build.mozilla.org/ .  Being unable to connect to build.mozilla.org means that http://tbpl.mozilla.org/ won't load.  I've heard reports of the same thing (can't load TBPL over office VPN) from other people.

When I connect to the office VPN, the DNS result I get for build.mozilla.org changes from what I get when unconnected:
$ host build.mozilla.org
build.mozilla.org is an alias for dm-wwwbuild01.mozilla.org.
dm-wwwbuild01.mozilla.org has address 63.245.208.186

to what I get when I'm inside the office:
$ host build.mozilla.org
build.mozilla.org has address 10.2.74.128
build.mozilla.org mail is handled by 10 dm-mail01.mozilla.org.
build.mozilla.org mail is handled by 10 dm-mail02.mozilla.org.

However, when I "Use this connection only for resources on its network", 10.2.74.128 isn't considered a resource on the network at the other end of the VPN, so I can't connect.

(If I uncheck "Use this connection only for resources on its network" and send *all* my traffic through the VPN, then it works, but I'd rather not have to do that...)
(Reporter)

Comment 1

7 years ago
(In reply to comment #0)
> (If I uncheck "Use this connection only for resources on its network" and send
> *all* my traffic through the VPN, then it works, but I'd rather not have to do
> that...)

To be clear, the reason I don't want to have to do that is because it cuts off all my open connections whenever I connect to or disconnect from the VPN.
Bug 600039 is related.

Updated

7 years ago
Assignee: server-ops → network-operations
Component: Server Operations → Server Operations: Netops
(Reporter)

Comment 3

7 years ago
And if you want build.mozilla.org to not bounce you to https: (and ask for auth) immediately, use http://build.mozilla.org/builds/ or something inside it.

Comment 4

7 years ago
It works if you connect from the build VPN.  That is the VPN you need to use if you want to access build resources.
Assignee: network-operations → ravi
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → WONTFIX
(Reporter)

Comment 5

7 years ago
This is data accessible to anyone in the world, *except* those connected to the MV VPN.
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---

Comment 6

7 years ago
When you connect to the MV VPN you are getting the internal address for build.mozilla.org which is at the SJC1 datacenter.  To reach that resource you will need to connect to a VPN at that datacatner.  There are two of them -- 1 specifically for Build and the non-build one.  Both will work and you should be able to run 2 VPN sessions at the same time.
Status: REOPENED → RESOLVED
Last Resolved: 7 years ago7 years ago
Resolution: --- → WONTFIX
(Reporter)

Comment 7

7 years ago
That's *ridiculous*.

This is like saying that it's ok that I can't connect to http://www.mozilla.com/ if I'm VPN'd in to the office, because I could just connect to the MPT VPN too and then I'd be able to get in.


This should either work, or we should ensure that production infrastructure like TBPL doesn't use it.
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
The internal IP for build.mozilla.org seems to be accessible from mv-vpn01, so that makes it a config issue in openvpn to make the route available to clients.
Changing that config will require bouncing openvpn, and there are 7 people connected to it currently who will get dumped by doing so.
Flags: needs-downtime+
Assignee: ravi → justdave
dbaron - this was a bit of a hack to get build hosts working iirc.  The office -should- get the external address but I'm not sure what would break right now if I made that change.

Dave's right in comment #8 but I'm adverse to making changes over this weekend (or especially this weekend).  If you can manage until Tuesday night, we can restart openvpn. 

In the interim, if you need to be connected to the office.mozilla.org VPN, you could add a host entry:

63.245.208.186  build.mozilla.org
Whiteboard: [01/18/2011 @ 7pm]
(Reporter)

Comment 11

7 years ago
No rush.  Just something that's been bothersome for a while (to me, and I think to others as well).

Updated

7 years ago
Whiteboard: [01/18/2011 @ 7pm] → [01/20/2011 @ 7pm]

Updated

7 years ago
Whiteboard: [01/20/2011 @ 7pm] → [01/25/2011 @ 7pm]
Status: REOPENED → NEW
Whiteboard: [01/25/2011 @ 7pm] → [02/08/2011 @ 7pm]
restarted.  only saw infrasec and infra folk attached (over long lived sessions).
Status: NEW → RESOLVED
Last Resolved: 7 years ago7 years ago
Resolution: --- → FIXED
(Reporter)

Comment 13

7 years ago
This regressed recently; I filed bug 655794.
Product: mozilla.org → Infrastructure & Operations
You need to log in before you can comment on or make changes to this bug.