2014-02-11 Vyatta 6.5 bugs and fixes
L2TP configuration patch. Vyatta 6.3 remote-access L2TP configuration doesn't allow you to set two important parameters - the IPSec esp keylife and the PPP idle timeout. This patch allows you to set both.
flow-accounting service stopping after few minutes it starts Sending flow-accounting data to a netflow collector seems to conflict with the in-memory plugin for netflow data.
administrator@r01:/opt/vyatta/sbin$ diff -u vyatta-netflow.pl vyatta-netflow.pl. bak
--- vyatta-netflow.pl 2012-08-07 16:41:43.054226785 +0200
+++ vyatta-netflow.pl.bak 2012-08-07 16:38:14.407647538 +0200
@@ -276,7 +276,7 @@
my $facility = $config->returnValue('syslog-facility');
$output .= "syslog: $facility\n" if defined $facility;
- my $plugins = 'plugins: ';
+ my $plugins = 'plugins: memory';
my $netflow = acct_get_netflow($config);
if (defined $netflow) {
my @names = acct_get_collector_names($config, 'netflow');
administrator@r01:/opt/vyatta/sbin$
Reboot drops cluster config. This is probably another case of incorrect node.def priority levels.
/opt/vyatta/share/vyatta-cfg/templates/cluster/node.def:priority: 960
Reboot drops policy route config. This is probably another case of incorrect node.def priority levels.
/opt/vyatta/share/vyatta-cfg/templates/policy/route/node.def:priority: 199 /opt/vyatta/share/vyatta-cfg/templates/policy/ipv6-route/node.def:priority: 210
The same /etc/rc.local fix may work for both; this assumes that you have setup ssh keys so root can ssh into vyatta@localhost without a password prompt. In my case the failure on boot to apply the policy route left /tmp/speed* files owned by root. Those need to be removed before any config can be committed.
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
# Do not remove the following call to vyatta-postconfig-bootup.script.
# Any boot time workarounds should be put in script below so that they
# get preserved for the new image during image upgrade.
POSTCONFIG=/opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script
[ -x $POSTCONFIG ] && $POSTCONFIG
# fix cluster and policy route dropped from config
sleep 20
rm -f /tmp/speed*
cmd="configure
load
commit
exit
exit
"
echo "$cmd" | ssh -t -t vyatta@localhost
exit 0
TrafficShaper.pm mixes match conditions among classes. Any traffic shaper that contains a class with multiple match statements may hit this bug. The fix is a small change to /opt/vyatta/share/perl5/Vyatta/Qos/TrafficShaper.pm, where the code at the end of that file is changed to:
my $prio = 1;
foreach my $class (@$classes) {
$class->gen_class( $dev, 'htb', $parent, $rate, $r2q );
$class->gen_leaf( $dev, $parent, $rate );
foreach my $match ( $class->matchRules() ) {
$match->filter( $dev, $parent, $class->{id}, $prio++,
$class->{dsmark} );
}
}
Policy route setting fw mark. A policy route rule that sets a firewall mark does not terminate processing of the rules. A policy route rule that sets an alternate routing table does terminate processing of the rules. I don't have a fix for this yet.
Windows 7 boxes connecting to a vyatta l2tp vpn have problems with rekeying. Based on this we have a patch: but this still does not work
--- opt/vyatta/share/perl5/Vyatta/L2TPConfig.pm.original 2014-02-10 10:23:02.000000000 -0800
+++ opt/vyatta/share/perl5/Vyatta/L2TPConfig.pm 2014-02-10 10:32:54.000000000 -0800
@@ -419,17 +419,18 @@
right=%any
rightsubnet=vhost:%no,%priv
auto=add
- ike=aes256-sha1,3des-sha1!
+ ike=3des-sha1-modp1024!
dpddelay=15
dpdtimeout=45
dpdaction=clear
esp=aes256-sha1,3des-sha1!
- rekey=no
+ rekey=yes
+ keylife=2h
EOS
if (defined($self->{_ike_lifetime})){
$str .= " ikelifetime=$self->{_ike_lifetime}\n";
} else {
- $str .= " ikelifetime=3600s\n";
+ $str .= " ikelifetime=4h\n";
}
$str .= "$cfg_delim_end\n";
return ($str, undef);