Closed Bug 626122 Opened 13 years ago Closed 13 years ago

can't connect to build.mozilla.org when VPNed in to MV office VPN

Categories

(Infrastructure & Operations Graveyard :: NetOps, task)

All
Other
task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: dbaron, Assigned: justdave)

Details

(Whiteboard: [02/08/2011 @ 7pm])

I thought there was a bug on this, but I can't find it, so I'm filing.

When I connect to the mountain view office VPN from home (with the "Use this connection only for resources on its network" option in my VPN configuration), I'm unable to connect to http://build.mozilla.org/ .  Being unable to connect to build.mozilla.org means that http://tbpl.mozilla.org/ won't load.  I've heard reports of the same thing (can't load TBPL over office VPN) from other people.

When I connect to the office VPN, the DNS result I get for build.mozilla.org changes from what I get when unconnected:
$ host build.mozilla.org
build.mozilla.org is an alias for dm-wwwbuild01.mozilla.org.
dm-wwwbuild01.mozilla.org has address 63.245.208.186

to what I get when I'm inside the office:
$ host build.mozilla.org
build.mozilla.org has address 10.2.74.128
build.mozilla.org mail is handled by 10 dm-mail01.mozilla.org.
build.mozilla.org mail is handled by 10 dm-mail02.mozilla.org.

However, when I "Use this connection only for resources on its network", 10.2.74.128 isn't considered a resource on the network at the other end of the VPN, so I can't connect.

(If I uncheck "Use this connection only for resources on its network" and send *all* my traffic through the VPN, then it works, but I'd rather not have to do that...)
(In reply to comment #0)
> (If I uncheck "Use this connection only for resources on its network" and send
> *all* my traffic through the VPN, then it works, but I'd rather not have to do
> that...)

To be clear, the reason I don't want to have to do that is because it cuts off all my open connections whenever I connect to or disconnect from the VPN.
Assignee: server-ops → network-operations
Component: Server Operations → Server Operations: Netops
And if you want build.mozilla.org to not bounce you to https: (and ask for auth) immediately, use http://build.mozilla.org/builds/ or something inside it.
It works if you connect from the build VPN.  That is the VPN you need to use if you want to access build resources.
Assignee: network-operations → ravi
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WONTFIX
This is data accessible to anyone in the world, *except* those connected to the MV VPN.
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
When you connect to the MV VPN you are getting the internal address for build.mozilla.org which is at the SJC1 datacenter.  To reach that resource you will need to connect to a VPN at that datacatner.  There are two of them -- 1 specifically for Build and the non-build one.  Both will work and you should be able to run 2 VPN sessions at the same time.
Status: REOPENED → RESOLVED
Closed: 13 years ago13 years ago
Resolution: --- → WONTFIX
That's *ridiculous*.

This is like saying that it's ok that I can't connect to http://www.mozilla.com/ if I'm VPN'd in to the office, because I could just connect to the MPT VPN too and then I'd be able to get in.


This should either work, or we should ensure that production infrastructure like TBPL doesn't use it.
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
The internal IP for build.mozilla.org seems to be accessible from mv-vpn01, so that makes it a config issue in openvpn to make the route available to clients.
Changing that config will require bouncing openvpn, and there are 7 people connected to it currently who will get dumped by doing so.
Flags: needs-downtime+
Assignee: ravi → justdave
dbaron - this was a bit of a hack to get build hosts working iirc.  The office -should- get the external address but I'm not sure what would break right now if I made that change.

Dave's right in comment #8 but I'm adverse to making changes over this weekend (or especially this weekend).  If you can manage until Tuesday night, we can restart openvpn. 

In the interim, if you need to be connected to the office.mozilla.org VPN, you could add a host entry:

63.245.208.186  build.mozilla.org
Whiteboard: [01/18/2011 @ 7pm]
No rush.  Just something that's been bothersome for a while (to me, and I think to others as well).
Whiteboard: [01/18/2011 @ 7pm] → [01/20/2011 @ 7pm]
Whiteboard: [01/20/2011 @ 7pm] → [01/25/2011 @ 7pm]
Status: REOPENED → NEW
Whiteboard: [01/25/2011 @ 7pm] → [02/08/2011 @ 7pm]
restarted.  only saw infrasec and infra folk attached (over long lived sessions).
Status: NEW → RESOLVED
Closed: 13 years ago13 years ago
Resolution: --- → FIXED
This regressed recently; I filed bug 655794.
Product: mozilla.org → Infrastructure & Operations
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.