2014-02-11 Vyatta 6.5 bugs and fixes
L2TP configuration patch. Vyatta 6.3 remote-access L2TP configuration doesn't allow you to set two important parameters - the IPSec esp keylife and the PPP idle timeout. This patch allows you to set both.
flow-accounting service stopping after few minutes it starts Sending flow-accounting data to a netflow collector seems to conflict with the in-memory plugin for netflow data.
administrator@r01:/opt/vyatta/sbin$ diff -u vyatta-netflow.pl vyatta-netflow.pl. bak --- vyatta-netflow.pl 2012-08-07 16:41:43.054226785 +0200 +++ vyatta-netflow.pl.bak 2012-08-07 16:38:14.407647538 +0200 @@ -276,7 +276,7 @@ my $facility = $config->returnValue('syslog-facility'); $output .= "syslog: $facility\n" if defined $facility; - my $plugins = 'plugins: '; + my $plugins = 'plugins: memory'; my $netflow = acct_get_netflow($config); if (defined $netflow) { my @names = acct_get_collector_names($config, 'netflow'); administrator@r01:/opt/vyatta/sbin$
Reboot drops cluster config. This is probably another case of incorrect node.def priority levels.
/opt/vyatta/share/vyatta-cfg/templates/cluster/node.def:priority: 960
Reboot drops policy route config. This is probably another case of incorrect node.def priority levels.
/opt/vyatta/share/vyatta-cfg/templates/policy/route/node.def:priority: 199 /opt/vyatta/share/vyatta-cfg/templates/policy/ipv6-route/node.def:priority: 210
The same /etc/rc.local fix may work for both; this assumes that you have setup ssh keys so root can ssh into vyatta@localhost without a password prompt. In my case the failure on boot to apply the policy route left /tmp/speed* files owned by root. Those need to be removed before any config can be committed.
#!/bin/sh -e # # rc.local # # This script is executed at the end of each multiuser runlevel. # value on error. # # In order to enable or disable this script just change the execution # bits. # # By default this script does nothing. # Do not remove the following call to vyatta-postconfig-bootup.script. # Any boot time workarounds should be put in script below so that they # get preserved for the new image during image upgrade. POSTCONFIG=/opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script [ -x $POSTCONFIG ] && $POSTCONFIG # fix cluster and policy route dropped from config sleep 20 rm -f /tmp/speed* cmd="configure load commit exit exit " echo "$cmd" | ssh -t -t vyatta@localhost exit 0
TrafficShaper.pm mixes match conditions among classes. Any traffic shaper that contains a class with multiple match statements may hit this bug. The fix is a small change to /opt/vyatta/share/perl5/Vyatta/Qos/TrafficShaper.pm, where the code at the end of that file is changed to:
my $prio = 1; foreach my $class (@$classes) { $class->gen_class( $dev, 'htb', $parent, $rate, $r2q ); $class->gen_leaf( $dev, $parent, $rate ); foreach my $match ( $class->matchRules() ) { $match->filter( $dev, $parent, $class->{id}, $prio++, $class->{dsmark} ); } }
Policy route setting fw mark. A policy route rule that sets a firewall mark does not terminate processing of the rules. A policy route rule that sets an alternate routing table does terminate processing of the rules. I don't have a fix for this yet.
Windows 7 boxes connecting to a vyatta l2tp vpn have problems with rekeying. Based on this we have a patch: but this still does not work
--- opt/vyatta/share/perl5/Vyatta/L2TPConfig.pm.original 2014-02-10 10:23:02.000000000 -0800 +++ opt/vyatta/share/perl5/Vyatta/L2TPConfig.pm 2014-02-10 10:32:54.000000000 -0800 @@ -419,17 +419,18 @@ right=%any rightsubnet=vhost:%no,%priv auto=add - ike=aes256-sha1,3des-sha1! + ike=3des-sha1-modp1024! dpddelay=15 dpdtimeout=45 dpdaction=clear esp=aes256-sha1,3des-sha1! - rekey=no + rekey=yes + keylife=2h EOS if (defined($self->{_ike_lifetime})){ $str .= " ikelifetime=$self->{_ike_lifetime}\n"; } else { - $str .= " ikelifetime=3600s\n"; + $str .= " ikelifetime=4h\n"; } $str .= "$cfg_delim_end\n"; return ($str, undef);