Page MenuHomeVyOS Platform

nhrp not starting due to missing cisco-authentication value
Needs testing, Requires assessmentPublicBUG

Description

nhrp process fails to start with the corresponding logs:

systemd[1]: Starting OpenNHRP...
opennhrp[371721]: opennhrp[371721]: OpenNHRP 0.14-20-g613277f starting
opennhrp[371721]: OpenNHRP 0.14-20-g613277f starting
opennhrp[371721]: opennhrp[371721]: Configuration file syntax error in /run/opennhrp/opennhrp.conf:6, near word '300'
opennhrp[371721]: Configuration file syntax error in /run/opennhrp/opennhrp.conf:6, near word '300'
systemd[1]: opennhrp.service: Control process exited, code=exited, status=4/NOPERMISSION
systemd[1]: opennhrp.service: Failed with result 'exit-code'.
systemd[1]: Failed to start OpenNHRP.

Example configuration causing the issue:

protocols {
    nhrp {
        tunnel tun0 {
            cisco-authentication ""
            holding-time "300"
            multicast "dynamic"
            redirect { }
        }
    }

This is caused by the empty value of the cisco-authentication option that keeps the empty value in /run/opennhrp/opennhrp.conf, while the option shouldn't be added in this case:

# Created by VyOS - manual changes will be overwritten

interface tun100 #hub
    cisco-authentication
    holding-time 300
    multicast dynamic
    redirect

The correct configuration must look like this:

# Created by VyOS - manual changes will be overwritten

interface tun100 #hub
    holding-time 300
    multicast dynamic
    redirect

Details

Difficulty level
Unknown (require assessment)
Version
1.4-rolling-202206070913
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

From provided log syntax error in config string 6
‘holding-time 300’

But yes “ cisco-authentication” shouldn’t be without values

From provided log syntax error in config string 6
‘holding-time 300’

But yes “ cisco-authentication” shouldn’t be without values

Unfortunately in this case log is not accurate and doesn't indicate the exact issue. I think it's due to incomplete string 5 (cisco-authentication) affecting string 6 (holding-time). After tests, it's confirmed that everything works as expected when there is no option cisco-authentication with a blank value.

Here is the string that is responsible for generating cisco-authentication for nhrp config file. As I could understand, the "vyos_defined" doesn't operate as expected and we need to figure out why this function is ignoring "none" value

e.khudiyev changed Difficulty level from Easy (less than an hour) to Unknown (require assessment).Thu, Jun 9, 7:46 AM
e.khudiyev changed Is it a breaking change? from Perfectly compatible to Unspecified (possibly destroys the router).
n.fort changed the task status from Open to Needs testing.Fri, Jun 10, 6:13 PM

Since in previous version set protocols nhrp tunnel tun0 cisco-authentication "" was allowed, a migration script is required. Otherwise, when upgrading, configuration fails.