Routes lost on DHCP lease renewal (breaks VPN)

Bug #288703 reported by Tore Anderson
16
Affects Status Importance Assigned to Milestone
NetworkManager
Fix Released
Medium
network-manager (Ubuntu)
Fix Released
Medium
Unassigned
Intrepid
Won't Fix
Medium
Unassigned

Bug Description

Binary package hint: network-manager

When NetworkManager renews the DHCP lease, some routes are lost. So far I've noticed these being affected:

- the Zeroconf link-local route to 169.254.0.0/16 (I don't really see the point in having this route when a Zeroconf address is not assigned to the interface anyway, so this isn't a too big problem).
- the host-route to the OpenVPN gateway that's added when a VPN connection is established. This is a big problem for me, as the OpenVPN gateway resides within one of the networks that are to be tunneled over the tunnel, so loss of this route leads to a catch-22 situation where you try to route the OpenVPN packets inside the tunnel itself, and nothing works.

Magnus Svensson confirmed the bug in #269071; he observed it using using vpnc.

I've also confirmed that the Zeroconf route is lost even if I do not start the OpenVPN connection, so the problem has to be in the core of NetworkManager.

There's more info in bug #269071, quoting relevant parts from one comment under:

tore@envy:~$ ip r
 10.8.0.5 dev tun0 proto kernel scope link src 10.8.0.6
 VPN-GW.VPN-GW.VPN-GW.VPN-GW via 10.0.0.1 dev wlan0 proto static
 10.0.0.0/24 dev wlan0 proto kernel scope link src 10.0.0.51 metric 2
 VPN.VPN.VPN.0/19 dev tun0 proto static scope link
 169.254.0.0/16 dev wlan0 scope link metric 1000
 VPN.VPN.0.0/12 dev tun0 proto static scope link
 default via 10.0.0.1 dev wlan0 proto static

I've added the routes to VPN.VPN.* manually using the workaround I mentioned in another comment, since the default route redirection doesn't work. One thing missing here is that there should be a route to 10.8.0.1 (the OpenVPN server's internal OpenVPN address). It used to be automatically added before (and indeed, it pushes that address as the DNS dhcp-option too), so that's another regression.
You can see the host-route added to VPN-GW x 4 (which is neccessary for the OpenVPN connection to work, since that particular address is part of my employers VPN.VPN.VPN.0/19 network (and the OpenVPN packets can't very well be routed inside of the OpenVPN tunnel).
Then the VPN connection stop working. In my logs I see the following:
Oct 14 23:10:46 envy dhclient: DHCPREQUEST of 10.0.0.51 on wlan0 to 10.0.0.1 port 67
 Oct 14 23:10:46 envy dhclient: DHCPACK of 10.0.0.51 from 10.0.0.1
 Oct 14 23:10:46 envy NetworkManager: <info> DHCP: device wlan0 state changed bound -> renew
 Oct 14 23:10:46 envy NetworkManager: <info> address 10.0.0.51
 Oct 14 23:10:46 envy NetworkManager: <info> prefix 24 (255.255.255.0)
 Oct 14 23:10:46 envy NetworkManager: <info> gateway 10.0.0.1
 Oct 14 23:10:46 envy NetworkManager: <info> nameserver '217.13.7.140'
 Oct 14 23:10:46 envy NetworkManager: <info> nameserver '217.13.4.24'
 Oct 14 23:10:46 envy NetworkManager: <info> domain name 'lan'
 Oct 14 23:10:46 envy NetworkManager: <info> (wlan0): writing resolv.conf to /sbin/resolvconf
 Oct 14 23:10:46 envy dhclient: bound to 10.0.0.51 -- renewal in 2735 seconds.
 Oct 14 23:10:46 envy avahi-daemon[5342]: Withdrawing address record for 10.0.0.51 on wlan0.
 Oct 14 23:10:46 envy avahi-daemon[5342]: Leaving mDNS multicast group on interface wlan0.IPv4 with address 10.0.0.51.
 Oct 14 23:10:46 envy avahi-daemon[5342]: Interface wlan0.IPv4 no longer relevant for mDNS.
 Oct 14 23:10:46 envy avahi-daemon[5342]: Joining mDNS multicast group on interface wlan0.IPv4 with address 10.0.0.51.
 Oct 14 23:10:46 envy avahi-daemon[5342]: New relevant interface wlan0.IPv4 for mDNS.
 Oct 14 23:10:46 envy avahi-daemon[5342]: Registering new address record for 10.0.0.51 on wlan0.IPv4.
 Oct 14 23:10:47 envy NetworkManager: <info> (wlan0): writing resolv.conf to /sbin/resolvconf
 Oct 14 23:10:47 envy NetworkManager: <info> Policy set (wlan0) as default device for routing and DNS.
 Oct 14 23:12:36 envy nm-openvpn[23085]: [openvpn-gw.employer.no] Inactivity timeout (--ping-restart), restarting
 Oct 14 23:12:36 envy nm-openvpn[23085]: SIGUSR1[soft,ping-restart] received, process restarting
 Oct 14 23:12:38 envy nm-openvpn[23085]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
 Oct 14 23:12:38 envy nm-openvpn[23085]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
 Oct 14 23:12:38 envy nm-openvpn[23085]: Re-using SSL/TLS context
 Oct 14 23:12:38 envy nm-openvpn[23085]: LZO compression initialized
 Oct 14 23:12:38 envy nm-openvpn[23085]: UDPv4 link local: [undef]
 Oct 14 23:12:38 envy nm-openvpn[23085]: UDPv4 link remote: VPN-GW.VPN-GW.VPN-GW.VPN-GW:1194
 Oct 14 23:13:25 envy NetworkManager: <info> (wlan0): supplicant connection state change: 7 -> 6
 Oct 14 23:13:25 envy NetworkManager: <info> (wlan0): supplicant connection state change: 6 -> 7
 Oct 14 23:13:38 envy nm-openvpn[23085]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your networkconnectivity)
 Oct 14 23:13:38 envy nm-openvpn[23085]: TLS Error: TLS handshake failed
 Oct 14 23:13:38 envy nm-openvpn[23085]: SIGUSR1[soft,tls-error] received, process restarting
 Oct 14 23:13:40 envy nm-openvpn[23085]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
 [...repeated...]

And the new routing table:

tore@envy:~$ ip r
 10.8.0.5 dev tun0 proto kernel scope link src 10.8.0.6
 10.0.0.0/24 dev wlan0 proto kernel scope link src 10.0.0.51 metric 2
 VPN.VPN.VPN.0/19 dev tun0 proto static scope link
 VPN.VPN.0.0/12 dev tun0 proto static scope link
 default via 10.0.0.1 dev wlan0 proto static

So what just happened? It seems that the DHCP lease (given out by a lame residental CPE/NAT device which terminates my DSL circuit) was up for renewal. As part of this procedure n-m removed the route to VPN-GW, which of cause breaks the tunnel since those packets are now routed to inside the VPN tunnel (a catch-22), since the VPN routes themselves are left in place. The same problem would occur if the redirection of the default route redirection worked, since VPN-GW is within the default route too. So the host (/32) route to the VPN GW needs to left intact for the VPN connection to work, but right now this too seems to be broken.

Tore

Changed in network-manager:
status: New → Confirmed
Alexander Sack (asac)
Changed in network-manager:
importance: Undecided → Medium
status: Confirmed → Triaged
Revision history for this message
Tore Anderson (toreanderson) wrote :

This bug is now fixed upstream by Dan Williams, in SVN r4277.

Tore

Revision history for this message
Alexander Sack (asac) wrote :

backport candidate for intrepid.

Changed in network-manager:
importance: Undecided → Medium
milestone: none → intrepid-updates
status: New → Triaged
Revision history for this message
Alexander Sack (asac) wrote :

fix committed on jaunty packging branch (new upstream merge).

Changed in network-manager:
status: Triaged → Fix Committed
Revision history for this message
Alexander Sack (asac) wrote : Re: [Bug 288703] Re: Routes lost on DHCP lease renewal (breaks VPN)

Tore Anderson wrote:
> This bug is now fixed upstream by Dan Williams, in SVN r4277.
>
>

please test the latest intrepid/jaunty packages in network-manager team
PPA ... those have the final 0.7 bits and hence you should be able to
verify the fix from above.

Thanks!

Changed in network-manager:
status: Unknown → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package network-manager - 0.7-0ubuntu1

---------------
network-manager (0.7-0ubuntu1) jaunty; urgency=low

  * (merge) new upstream release NetworkManager 0.7 final
    - rev 3802 lp:~vcs-imports/network-manager/main/
    + fix LP: #288963 Network Manager fails to connect to a system stored
      network with "set_network_cb(): Couldn't set network config: Did not receive
      correct message.." in intrepid
    + fix LP: #288703 Routes lost on DHCP lease renewal (breaks VPN)

  * drop probe v250 modem patch; this should be done in udev-extras; until
    that happens we rely on accurate hal-info
    - delete debian/patches/add_probe_for_v250_modems.patch
    - update debian/patches/series
  * drop upstreamed patches
    - delete debian/patches/50_gcc43.patch
    - delete debian/patches/lp282207_set_apn_at_syntax.patch
    - delete debian/patches/lp268667_more_ppp_default_options.patch
    - delete debian/patches/lp278631-initscript-polishing.patch
    - update debian/patches/series
  * drop unused patch
    - delete debian/patches/41o_completely_deactivate_stage1.patch
  * make manual regristration timeout patch out of automatic one (which
    was applied upstream)
    - rename debian/patches/lp303142_more_time_for_automatic_registration.patch
      => debian/patches/lp303142_more_time_for_manual_registration.patch
  * add patch to fix ftbfs
    - add debian/patches/ftbfs_nm_netlink_monitor.patch
    - update debian/patches/series
  * [libnm-util-dev] dont try to install nm-setting-ip6-config.h - which is
    supposed to be hidden in 0.7 final
    - update debian/libnm-util-dev.install
  * prepatch upstream soname version bump for libnm-util
    - add debian/patches/04-ltversioning.patch
    - update debian/patches/series
    ship the libs in libnm-util1
    - update debian/control
    - rename debian/libnm-util0.install => debian/libnm-util1.install
    and bump so shlibs control file info for libnm-util1
    - update debian/rules
  * add easy bzr builddeb support with proper upstream-revision (--show-ids)
    - add .bzr-builddeb/default.conf
  * install plugin in ppp 2.4.4 and 2.4.5 directory
    - update debian/network-manager.install

 -- Alexander Sack <email address hidden> Mon, 12 Jan 2009 13:29:24 +0100

Changed in network-manager:
status: Fix Committed → Fix Released
Revision history for this message
Sergio Zanchetta (primes2h) wrote :

Thank you for reporting this bug to Ubuntu. Intrepid Ibex 8.10 reached EOL on 30 March 2010.
Please see this document for currently supported Ubuntu releases:
https://wiki.ubuntu.com/Releases

Please feel free to report any other bugs you may find.
Thank you.

Changed in network-manager (Ubuntu Intrepid):
status: Triaged → Won't Fix
Revision history for this message
Sergio Zanchetta (primes2h) wrote :

I realized I had made a mistake, Intrepid Ibex 8.10 "will reach" EOL on 30 "APRIL" 2010.

Sorry for this.

Anyway, I think that one month doesn't make any difference now.

Changed in network-manager:
importance: Unknown → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.