Prior to the April 28, 2025 hotfix release for versions 21.2.3, 22.1.3, and 22.1.4, if Versa services restarted four times within a 15-minute window, the system would attempt to trigger strongSwan. If strongSwan failed to fetch the staging configuration from the "BRANCH-POSTSTAGING" snapshot and establish an IPsec connection with the Staging Controller (to retrieve branch connectivity from the Director using the staging IP address), the services would remain stopped.
However, starting with the April 28, 2025 hotfix or later, if strongSwan cannot establish connectivity to the Controller, the services will continue attempting to restart.
Note: If the VOS node is running Bionic, OSSPACK installation is a must ensure the required and updated libraries are in place for strongSwan to function correctly and to establish ipsec tunnels to the staging controllers.
On the controller where the Branch establishes IPsec connection using strongSwan, on the controllers,
/var/log/versa/alarms:
In Analytics and Director, the alarm key to look out for is "branch-in-maintenance-mode" which will include the Staging IP address through which we can ssh to the VOS node.
We have an open bug to update the Mgmt. IP of the appliance in maintenance mode, which allows us to connect to the VOS directly from the GUI.
Limitations:
1) If the branch is staged to a Hub-Controller and not to the Main controllers, then the strongSwan mechanism will not work. The appliance will continue to restart.
2) If all the WAN IP's of VOS is DHCP, and if for any reason if there is a delay from the DHCP server to get an IP when the eth-0/X comes back on Linux, then strongswan may not kick-in, but services will continue to try coming up.
3) Director will show the updated Management IP of the Appliance [Using strongswan] only from 22.1.4-20250701-Hotfix release. Until then, please use the Controller alarms to get the Management IP of the node Branch, which will be in maintenance mode.
4) If the Branch has a URL pattern match in its configuration, then Strongswan may not kick in owing to a bug.
Bug-ID : 129672
Description: URL Pattern match in the Branch configuration, causes strongswan to fail to fetch the tunnel config. context causing the strongswan functionality to not work.
Fix-Release : Tentatively planned to be fixed in ~Aug 2025 Hotfix VOS release.
----------------------------------------------------------
How to test this feature in a controlled environment?
The below screenshots are taken from the Lab environment running:
Director-Version : 22.1.4-20250730
Controller-Version: 22.1.4-20250627
Branch-Version : 22.1.4-20250627
Branch-OSSPACK-Version: versa-flexvnf-osspack-B-20250726.bin
(1) Kill the versa-vsmd process 4 times within 15 mins.
[admin@Branch: ~] $ sudo pkill -9 -f versa-vsmd
*[Kill the vsmd process four times only after all services have come up/started.]
Note: Forcefully killing the vsmd process immediately after services come up is not a real-world scenario. This can lead to improper behavior, and strongSwan may not function correctly under such conditions.
How to check if all the services are up or not?
Run "vsh status" from the Shell of the Appliance.
2) On another window, please run this tail -f of versa-appstart.log, to view the running logs.
[admin@Branch] $ tail -f /var/log/versa/versa-appstart.log
3) Now once strongswan kicks in, on the controller, we should see, "Branch BRANCH1 is connected in maintenance mode". The details of the Management IP and the corresponding Chassis-ID should be present one line above.
4) On the Branch where services went down, and Strongswan is kicked in. Below is a command you can run after sshing through the Versa Director to see the ipsec status over strongswan.
5) Sample snippet of how a node in maitenance mode would look like.
6) Please note that external auth will not work since Versa services are down, but we should be able to login using local credentials to performance maitenance on the node to get the Versa services back up.
If you have any questions or concerns regarding this KB, feel free to contact us at support@versa-networks.com.