Page MenuHomeVyOS Platform
Create Task
Maniphest T5184

Unable to display L2TP sessions l2tp-server sessions
Closed, InvalidPublicBUG
Actions

Description

Trying to view L2TP server sessions for established L2TP VPN connections to the VyOS LNS displays the following output:

xxx@backup-lns2:~$ show l2tp-server sessions
:...skipping...
Traceback (most recent call last):

File "/usr/libexec/vyos/op_mode/ppp-server-ctrl.py", line 74, in <module>
  main()
File "/usr/libexec/vyos/op_mode/ppp-server-ctrl.py", line 60, in main
  output, err = popen(cmd_dict['cmd_base'].format(cmd_dict['vpn_types'][args.proto]) + args.action + ses_pattern, stderr=DEVNULL, decode='utf-8')
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/vyos/util.py", line 89, in popen
  pipe = p.communicate(input, timeout)
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/subprocess.py", line 1194, in communicate
  stdout = self.stdout.read()
           ^^^^^^^^^^^^^^^^^^

This is preventing viewing sessions nor can you reset an L2TP interface:

xxx@backup-lns2:~$ reset vpn l2tp interface l2tp0
^CTraceback (most recent call last):

File "/usr/libexec/vyos/op_mode/reset_vpn.py", line 56, in <module>
  res = vyos.opmode.run(sys.modules[__name__])
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/vyos/opmode.py", line 272, in run
  func(**args)
File "/usr/libexec/vyos/op_mode/reset_vpn.py", line 38, in reset_conn
  run(cmd_dict['cmd_base'].format(cmd_dict['vpn_types'][protocol],
File "/usr/lib/python3/dist-packages/vyos/util.py", line 125, in run
  _, code = popen(
            ^^^^^^
File "/usr/lib/python3/dist-packages/vyos/util.py", line 89, in popen
  pipe = p.communicate(input, timeout)
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/subprocess.py", line 1197, in communicate
  stderr = self.stderr.read()
           ^^^^^^^^^^^^^^^^^^

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.4-rolling-202304261027
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Behavior change
Issue type
Bug (incorrect behavior)

Event Timeline

joshua.hanley created this task.Apr 26 2023, 12:56 PM
joshua.hanley updated the task description. (Show Details)
Viacheslav added a subscriber: Viacheslav.Apr 26 2023, 1:10 PM

@joshua.hanley Could you provide the output of the next command?

sudo accel-cmd -p 2004 show sessions
joshua.hanley added a comment.EditedApr 26 2023, 1:27 PM

@Viacheslav It hangs for a while and then eventually the following output:

xxx@backup-lns2:/home/xxx# sudo accel-cmd -p 2004 show sessions
Connection to "localhost:2004" failed

Also the command "show l2tp-server sessions" displays the following output if you leave it hanging for ten minutes without any keyboard interrupts:

xxx@backup-lns2:~$ show l2tp-server sessions
l2tp server is not running

L2TP is definitely running as I've had my home FTTC connection terminating on this LNS via L2TP for several weeks plus a few customers are connected.

Viacheslav added a comment.EditedApr 26 2023, 1:41 PM

Could you provide l2tp configuration? show conf com | match l2tp
I cannot reproduce it

vyos@r14:~$ 
vyos@r14:~$ show l2tp-server sessions 
 ifname | username |      ip      | ip6 | ip6-dp |  calling-sid  | rate-limit | state  |  uptime  | rx-bytes | tx-bytes 
--------+----------+--------------+-----+--------+---------------+------------+--------+----------+----------+----------
 l2tp0  | alice    | 100.64.203.0 |     |        | 192.168.122.1 |            | active | 00:00:10 | 246 B    | 208 B
vyos@r14:~$ 
vyos@r14:~$ 
vyos@r14:~$ show version 
Version:          VyOS 1.4-rolling-202304261027
Release train:    current

Built by:         [email protected]
Built on:         Wed 26 Apr 2023 10:27 UTC
Build UUID:       6dee870f-c04e-4282-a551-41db656e6a26
Build commit ID:  25cf22e2ebcf2f

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (Q35 + ICH9, 2009)
Hardware S/N:     
Hardware UUID:    4d6f4d29-1ae8-446f-8d2b-3decd9da64c7

Copyright:        VyOS maintainers and contributors
vyos@r14:~$

It seems for some reason service is not started/available/other.

joshua.hanley added a comment.EditedApr 26 2023, 1:45 PM

hmmm very strange.... here is my configuration (IP addresses removed):

vpn {

l2tp {
    remote-access {
        authentication {
            mode radius
            radius {
                nas-identifier backup-lns2
                server x.x.x.x {
                    key ****************
                }
                source-address x.x.x.x
            }
            require chap
        }
        ccp-disable
        client-ip-pool {
            start 100.64.0.1
            stop 100.64.255.254
        }
        gateway-address x.x.x.x
        lns {
            shared-secret PASSWORD
        }
        mtu 1492
        name-server x.x.x.x
        name-server x.x.x.x
        outside-address x.x.x.x
    }
}

}

As previously stated, the above configuration is actively working with L2TP sessions established. Am I missing something?

Viacheslav added a comment.Apr 26 2023, 3:43 PM

Do you have users/passwords with specsymbols or not utf-8 or some ascii symbols?

pasik added a subscriber: pasik.Apr 26 2023, 4:15 PM
joshua.hanley added a comment.Apr 27 2023, 7:11 AM

Usernames usually take the following format: abc-1234-12
Passwords are a combination of alphanumeric characters.

joshua.hanley added a comment.EditedMay 3 2023, 3:28 PM

Hi @Viacheslav

I've identified the root cause of the problem. It seems to be the control plane filter (local firewall) applied to the router that is preventing connections from the localhost to localhost:2004.

Configuring a rule within the control plane firewall resolves this problem. Example:

rule 12 {
         action accept
         destination {
             address 127.0.0.1
         }
         log disable
         protocol all
         source {
             address 127.0.0.1
         }
     }

If you have IPv6 enabled it will prefer an IPv6 connection over IPv4 so you will also need it for IPv6 as well:

rule 10 {
        action accept
        destination {
            address ::1
        }
        protocol all
        source {
            address ::1
        }
    }

Might be worth mentioning this in the document if not already...feel free to close this. :)

Viacheslav closed this task as Invalid.Jan 18 2024, 9:15 AM

Incorrect firewall setting block the communication