Submariner Gateways Not Establishing Connections Between Clusters

[halekammoun]

• I'm experiencing an issue where the Submariner gateways between my clusters are not establishing connections as expected and gets stuck in the Connecting status (the ipsec tunnel is not established) .

• When running subctl show gateways, I observed that the gateways in member1 and member2 clusters are active, but 0 connections out of 1 are established for each.

• Below is a summary of the scenario and the troubleshooting steps I have taken so far.

• i'm using 3 clusters with minikube profile (each cluster have isolated network) for karmada and 2 members, setting also different service and pod CIDRs to avoid overlapping .

this is the subctl gather output

hale@hale-VirtualBox:~$ subctl gather

Cluster "karmada-cluster"

Gathering information from cluster "karmada-cluster"

 ✓ Gathering broker logs

 ✓ Gathering broker resources

 ⚠ Gathering operator logs

 ✓ Found 1 pods matching label selector "name=submariner-operator"

 ⚠ Found logs for previous instances of pod submariner-operator-587b7f4fc6-frhq2

 ✓ Gathering operator resources

 ✓ Found 0 submariners in namespace "submariner-operator"

 ✓ Found 0 servicediscoveries in namespace "submariner-operator"

 ✓ Found 1 deployments by field selector "[metadata.name](http://metadata.name/)=submariner-operator" in namespace "submariner-operator"

 ✓ Found 0 daemonsets by label selector "app=submariner-gateway" in namespace "submariner-operator"

 ✓ Found 0 daemonsets by label selector "app=submariner-metrics-proxy" in namespace "submariner-operator"

 ✓ Found 0 daemonsets by label selector "app=submariner-routeagent" in namespace "submariner-operator"

 ✓ Found 0 daemonsets by label selector "app=submariner-globalnet" in namespace "submariner-operator"

 ✓ Found 0 deployments by label selector "app=submariner-lighthouse-agent" in namespace "submariner-operator"

 ✓ Found 0 deployments by label selector "app=submariner-lighthouse-coredns" in namespace "submariner-operator"

 ⚠ Gathering connectivity logs

 ⚠ The Submariner connectivity components are not installed

 ⚠ Gathering connectivity resources

 ⚠ The Submariner connectivity components are not installed

 ⚠ Gathering service-discovery logs

 ⚠ The Submariner service discovery components are not installed

 ⚠ Gathering service-discovery resources

 ⚠ The Submariner service discovery components are not installed

Files are stored under directory "submariner-20240907184724/karmada-cluster"



Cluster "member1"

Gathering information from cluster "member1"

 ✓ Gathering broker logs

 ✓ Gathering broker resources

 ✓ Found 2 endpoints in namespace "submariner-k8s-broker"

 ✓ Found 2 clusters in namespace "submariner-k8s-broker"

 ✓ Found 0 endpointslices by label selector "[endpointslice.kubernetes.io/managed-by=lighthouse-agent.submariner.io](http://endpointslice.kubernetes.io/managed-by=lighthouse-agent.submariner.io)" in namespace "submariner-k8s-broker"

 ✓ Found 0 serviceimports in namespace "submariner-k8s-broker"

 ✓ Gathering operator logs

 ✓ Found 1 pods matching label selector "name=submariner-operator"

 ✓ Gathering operator resources

 ✓ Found 1 submariners in namespace "submariner-operator"

 ✓ Found 1 servicediscoveries in namespace "submariner-operator"

 ✓ Found 1 deployments by field selector "[metadata.name](http://metadata.name/)=submariner-operator" in namespace "submariner-operator"

 ✓ Found 1 daemonsets by label selector "app=submariner-gateway" in namespace "submariner-operator"

 ✓ Found 1 daemonsets by label selector "app=submariner-metrics-proxy" in namespace "submariner-operator"

 ✓ Found 1 daemonsets by label selector "app=submariner-routeagent" in namespace "submariner-operator"

 ✓ Found 1 daemonsets by label selector "app=submariner-globalnet" in namespace "submariner-operator"

 ✓ Found 1 deployments by label selector "app=submariner-lighthouse-agent" in namespace "submariner-operator"

 ✓ Found 1 deployments by label selector "app=submariner-lighthouse-coredns" in namespace "submariner-operator"

 ✓ Gathering connectivity logs

 ✓ Found 1 pods matching label selector "app=submariner-gateway"

 ✓ Found 1 pods matching label selector "app=submariner-routeagent"

 ✓ Found 1 pods matching label selector "app=submariner-metrics-proxy"

 ✓ Found 1 pods matching label selector "app=submariner-metrics-proxy"

 ✓ Found 1 pods matching label selector "app=submariner-globalnet"

 ✓ Found 0 pods matching label selector "app=submariner-addon"

 ✓ Gathering connectivity resources

 ✓ Gathering CNI data from 1 pods matching label selector "app=submariner-routeagent"

 ✓ Gathering CNI data from 1 pods matching label selector "app=submariner-gateway"

 ✓ Gathering cable driver data from 1 pods matching label selector "app=submariner-gateway"

 ✓ Found 2 endpoints in namespace "submariner-operator"

 ✓ Found 2 clusters in namespace "submariner-operator"

 ✓ Found 1 gateways in namespace "submariner-operator"

 ✓ Found 1 clusterglobalegressips in namespace ""

 ✓ Found 0 globalegressips in namespace ""

 ✓ Found 0 globalingressips in namespace ""

 ⚠ Gathering service-discovery logs

 ✓ Found 3 pods matching label selector "component=submariner-lighthouse"

 ✓ Found 1 pods matching label selector "k8s-app=kube-dns"

 ⚠ Found logs for previous instances of pod coredns-7db6d8ff4d-9cl6p

 ✓ Gathering service-discovery resources

 ✓ Found 0 serviceexports in namespace ""

 ✓ Found 0 serviceimports in namespace ""

 ✓ Found 0 endpointslices by label selector "[endpointslice.kubernetes.io/managed-by=lighthouse-agent.submariner.io](http://endpointslice.kubernetes.io/managed-by=lighthouse-agent.submariner.io)" in namespace ""

 ✓ Found 1 configmaps by label selector "component=submariner-lighthouse" in namespace "submariner-operator"

 ✓ Found 1 configmaps by field selector "[metadata.name](http://metadata.name/)=coredns" in namespace "kube-system"

 ✓ Found 0 services by label selector "[submariner.io/exportedServiceRef](http://submariner.io/exportedServiceRef)" in namespace ""

Files are stored under directory "submariner-20240907184724/member1"



Cluster "member2"

Gathering information from cluster "member2"

 ✓ Gathering broker logs

 ✓ Gathering broker resources

 ✓ Found 2 endpoints in namespace "submariner-k8s-broker"

 ✓ Found 2 clusters in namespace "submariner-k8s-broker"

 ✓ Found 0 endpointslices by label selector "[endpointslice.kubernetes.io/managed-by=lighthouse-agent.submariner.io](http://endpointslice.kubernetes.io/managed-by=lighthouse-agent.submariner.io)" in namespace "submariner-k8s-broker"

 ✓ Found 0 serviceimports in namespace "submariner-k8s-broker"

 ✓ Gathering operator logs

 ✓ Found 1 pods matching label selector "name=submariner-operator"

 ✓ Gathering operator resources

 ✓ Found 1 submariners in namespace "submariner-operator"

 ✓ Found 1 servicediscoveries in namespace "submariner-operator"

 ✓ Found 1 deployments by field selector "[metadata.name](http://metadata.name/)=submariner-operator" in namespace "submariner-operator"

 ✓ Found 1 daemonsets by label selector "app=submariner-gateway" in namespace "submariner-operator"

 ✓ Found 1 daemonsets by label selector "app=submariner-metrics-proxy" in namespace "submariner-operator"

 ✓ Found 1 daemonsets by label selector "app=submariner-routeagent" in namespace "submariner-operator"

 ✓ Found 1 daemonsets by label selector "app=submariner-globalnet" in namespace "submariner-operator"

 ✓ Found 1 deployments by label selector "app=submariner-lighthouse-agent" in namespace "submariner-operator"

 ✓ Found 1 deployments by label selector "app=submariner-lighthouse-coredns" in namespace "submariner-operator"

 ✓ Gathering connectivity logs

 ✓ Found 1 pods matching label selector "app=submariner-gateway"

 ✓ Found 1 pods matching label selector "app=submariner-routeagent"

 ✓ Found 1 pods matching label selector "app=submariner-metrics-proxy"

 ✓ Found 1 pods matching label selector "app=submariner-metrics-proxy"

 ✓ Found 1 pods matching label selector "app=submariner-globalnet"

 ✓ Found 0 pods matching label selector "app=submariner-addon"

 ✓ Gathering connectivity resources

 ✓ Gathering CNI data from 1 pods matching label selector "app=submariner-routeagent"

 ✓ Gathering CNI data from 1 pods matching label selector "app=submariner-gateway"

 ✓ Gathering cable driver data from 1 pods matching label selector "app=submariner-gateway"

 ✓ Found 2 endpoints in namespace "submariner-operator"

 ✓ Found 2 clusters in namespace "submariner-operator"

 ✓ Found 1 gateways in namespace "submariner-operator"

 ✓ Found 1 clusterglobalegressips in namespace ""

 ✓ Found 0 globalegressips in namespace ""

 ✓ Found 0 globalingressips in namespace ""

 ⚠ Gathering service-discovery logs

 ✓ Found 3 pods matching label selector "component=submariner-lighthouse"

 ✓ Found 1 pods matching label selector "k8s-app=kube-dns"

 ⚠ Found logs for previous instances of pod coredns-7db6d8ff4d-p262h

 ✓ Gathering service-discovery resources

 ✓ Found 0 serviceexports in namespace ""

 ✓ Found 0 serviceimports in namespace ""

 ✓ Found 0 endpointslices by label selector "[endpointslice.kubernetes.io/managed-by=lighthouse-agent.submariner.io](http://endpointslice.kubernetes.io/managed-by=lighthouse-agent.submariner.io)" in namespace ""

 ✓ Found 1 configmaps by label selector "component=submariner-lighthouse" in namespace "submariner-operator"

 ✓ Found 1 configmaps by field selector "[metadata.name](http://metadata.name/)=coredns" in namespace "kube-system"

 ✓ Found 0 services by label selector "[submariner.io/exportedServiceRef](http://submariner.io/exportedServiceRef)" in namespace ""
Files are stored under directory "submariner-20240907184724/member2"

this is the subctl diagnose all output

hale@hale-VirtualBox:~$ subctl diagnose all

Cluster "karmada-cluster"

 ✓ Checking Submariner support for the Kubernetes version

 ✓ Kubernetes version "v1.30.0" is supported





 ⚠ Submariner connectivity feature is not installed



 ⚠ Submariner service discovery feature is not installed





Cluster "member1"

 ✓ Checking Submariner support for the Kubernetes version

 ✓ Kubernetes version "v1.30.0" is supported



 ✓ Globalnet deployment detected - checking that globalnet CIDRs do not overlap

 ✓ Checking DaemonSet "submariner-gateway"

 ✓ Checking DaemonSet "submariner-routeagent"

 ✓ Checking DaemonSet "submariner-globalnet"

 ✓ Checking DaemonSet "submariner-metrics-proxy"

 ✓ Checking Deployment "submariner-lighthouse-agent"

 ✓ Checking Deployment "submariner-lighthouse-coredns"

 ✓ Checking the status of all Submariner pods

 ✓ Checking that gateway metrics are accessible from non-gateway nodes

 ✓ Skipping this check as it's a single node cluster

 ✓ Checking that globalnet metrics are accessible from non-gateway nodes

 ✓ Skipping this check as it's a single node cluster



 ⚠ Checking Submariner support for the CNI network plugin

 ⚠ Submariner could not detect the CNI network plugin and is using ("generic") plugin. It may or may not work.

 ✗ Checking gateway connections

 ✗ Connection to cluster "member2" is in progress

 ✓ Checking Submariner support for the kube-proxy mode

 ✓ The kube-proxy mode is supported

 ✓ Checking that firewall configuration allows intra-cluster VXLAN traffic

 ✓ Skipping this check as it's a single node cluster

 ✓ Checking that Globalnet is correctly configured and functioning



 ✓ Checking that services have been exported properly



Cluster "member2"

 ✓ Checking Submariner support for the Kubernetes version

 ✓ Kubernetes version "v1.30.0" is supported



 ✓ Globalnet deployment detected - checking that globalnet CIDRs do not overlap

 ✓ Checking DaemonSet "submariner-gateway"

 ✓ Checking DaemonSet "submariner-routeagent"

 ✓ Checking DaemonSet "submariner-globalnet"

 ✓ Checking DaemonSet "submariner-metrics-proxy"

 ✓ Checking Deployment "submariner-lighthouse-agent"

 ✓ Checking Deployment "submariner-lighthouse-coredns"

 ✓ Checking the status of all Submariner pods

 ✓ Checking that gateway metrics are accessible from non-gateway nodes

 ✓ Skipping this check as it's a single node cluster

 ✓ Checking that globalnet metrics are accessible from non-gateway nodes

 ✓ Skipping this check as it's a single node cluster



 ⚠ Checking Submariner support for the CNI network plugin

 ⚠ Submariner could not detect the CNI network plugin and is using ("generic") plugin. It may or may not work.

 ✗ Checking gateway connections

 ✗ Connection to cluster "member1" is in progress

 ✓ Checking Submariner support for the kube-proxy mode

 ✓ The kube-proxy mode is supported

 ✓ Checking that firewall configuration allows intra-cluster VXLAN traffic

 ✓ Skipping this check as it's a single node cluster

 ✓ Checking that Globalnet is correctly configured and functioning



 ✓ Checking that services have been exported properly



Skipping inter-cluster firewall check as it requires two kubeconfigs. Please run "subctl diagnose firewall inter-cluster" command manually.



subctl version: v0.18.0

and this is how i deploy the broker then how i join members

# deploy the broker in the karmada cluster

sudo /home/hale/.local/bin/subctl deploy-broker --globalnet --kubeconfig .kube/config --context karmada-cluster



# join member1 to the broker

sudo /home/hale/.local/bin/subctl join --kubeconfig .kube/config --context member1 broker-info.subm --natt=false --health-check=false



# join member2 to the broker

sudo /home/hale/.local/bin/subctl join --kubeconfig .kube/config --context member2 broker-info.subm --natt=false --health-check=false

I’m looking for recommendations or assistance on how to set up locally these clusters differently to avoid this gateway creation issue.

Thank you for your support!

[yboaron]

Thanks for contacting @halekammoun ,

Submariner could not detect the CNI network plugin and is using ("generic") plugin. It may or may not work.

Submariner could not detect your CNI, what CNI are you using in your clusters?

Submariner uses the detected CNI information to automatically retrieve service and pod CIDRs of the cluster.

You can workaround service and pod CIDRs auto discovery by providing it in subctl join command, by adding the following params:

--clustercidr <pod CIDR> --servicecidr <service CIDR>

Could you reinstall using the updated join command and see if that helps ?

[tpantelis]

Also please provide subctl gather output, specifically the pod logs.

[dfarrell07]

This seems to be duplicated by submariner-io/submariner-operator#3213. Closing that one has the discussion has started here.

[halekammoun]

@yboaron @tpantelis
i modified it but still stuck in the connecting status:

kubectl config use-context karmada-cluster

#deploy the broker in the karmada cluster

sudo /home/hale/.local/bin/subctl deploy-broker --kubeconfig .kube/config --context karmada-cluster

# join member1 to the broker 

sudo /home/hale/.local/bin/subctl join --kubeconfig .kube/config --context member1 broker-info.subm --natt=false \

 --clustercidr 10.245.0.0/16 --servicecidr 10.100.0.0/16 --health-check=false

# join member2 to the broker 

sudo /home/hale/.local/bin/subctl join --kubeconfig .kube/config --context member2 broker-info.subm --natt=false \

 --clustercidr 10.246.0.0/16 --servicecidr 10.110.0.0/16 --health-check=false

this is the output pf subctl show all

hale@hale-VirtualBox:~$ subctl show all

Cluster "member2"

 ✓ Detecting broker(s)

 ✓ No brokers found



 ✓ Showing Connections

GATEWAY   CLUSTER   REMOTE IP      NAT   CABLE DRIVER   SUBNETS                        STATUS       RTT avg.   

member1   member1   192.168.49.2   no    libreswan      10.100.0.0/16, 10.245.0.0/16   connecting              



 ✓ Showing Endpoints

CLUSTER   ENDPOINT IP    PUBLIC IP     CABLE DRIVER   TYPE     

member2   192.168.58.2   41.227.8.45   libreswan      local    

member1   192.168.49.2   41.227.8.45   libreswan      remote   



 ✓ Showing Gateways

NODE      HA STATUS   SUMMARY                                  

member2   active      0 connections out of 1 are established   



 ✓ Showing Network details

    Discovered network details via Submariner:

        Network plugin:  generic

        Service CIDRs:   [10.110.0.0/16]

        Cluster CIDRs:   [10.246.0.0/16]



 ✓ Showing versions 

COMPONENT                       REPOSITORY           CONFIGURED   RUNNING                     ARCH    

submariner-gateway              quay.io/submariner   0.18.0       release-0.18-e3f3e56b57fe   amd64   

submariner-routeagent           quay.io/submariner   0.18.0       release-0.18-e3f3e56b57fe   amd64   

submariner-metrics-proxy        quay.io/submariner   0.18.0       release-0.18-011349c6f17e   amd64   

submariner-operator             quay.io/submariner   0.18.0       release-0.18-68fefdd74105   amd64   

submariner-lighthouse-agent     quay.io/submariner   0.18.0       release-0.18-02b6a5b37266   amd64   

submariner-lighthouse-coredns   quay.io/submariner   0.18.0       release-0.18-02b6a5b37266   amd64   





Cluster "karmada-cluster"

 ✓ Detecting broker(s) 

NAMESPACE               NAME                COMPONENTS                        GLOBALNET   GLOBALNET CIDR   DEFAULT GLOBALNET SIZE   DEFAULT DOMAINS   

submariner-k8s-broker   submariner-broker   service-discovery, connectivity   no          242.0.0.0/8      65536                                      



 ✗ Showing Connections 

 ✗ No connections found



 ✓ Showing Endpoints

CLUSTER           ENDPOINT IP   PUBLIC IP     CABLE DRIVER   TYPE    

karmada-cluster   10.0.2.15     41.227.8.45   libreswan      local   



 ✓ Showing Gateways 

NODE              HA STATUS   SUMMARY                    

karmada-cluster   active      There are no connections   



 ✓ Showing Network details

    Discovered network details via Submariner:

        Network plugin:  generic

        Service CIDRs:   [10.96.0.0/12]

        Cluster CIDRs:   [10.244.0.0/16]



 ✓ Showing versions 

COMPONENT                       REPOSITORY           CONFIGURED   RUNNING                     ARCH    

submariner-gateway              quay.io/submariner   0.18.0       release-0.18-e3f3e56b57fe   amd64   

submariner-routeagent           quay.io/submariner   0.18.0       release-0.18-e3f3e56b57fe   amd64   

submariner-metrics-proxy        quay.io/submariner   0.18.0       release-0.18-011349c6f17e   amd64   

submariner-operator             quay.io/submariner   0.18.0       release-0.18-68fefdd74105   amd64   

submariner-lighthouse-agent     quay.io/submariner   0.18.0       release-0.18-02b6a5b37266   amd64   

submariner-lighthouse-coredns   quay.io/submariner   0.18.0       release-0.18-02b6a5b37266   amd64   



Cluster "member1"

 ✓ Detecting broker(s)

 ✓ No brokers found



 ✓ Showing Connections

GATEWAY   CLUSTER   REMOTE IP      NAT   CABLE DRIVER   SUBNETS                        STATUS       RTT avg.   

member2   member2   192.168.58.2   no    libreswan      10.110.0.0/16, 10.246.0.0/16   connecting              



 ✓ Showing Endpoints

CLUSTER   ENDPOINT IP    PUBLIC IP     CABLE DRIVER   TYPE     

member1   192.168.49.2   41.227.8.45   libreswan      local    

member2   192.168.58.2   41.227.8.45   libreswan      remote   



 ✓ Showing Gateways

NODE      HA STATUS   SUMMARY                                  

member1   active      0 connections out of 1 are established   



 ✓ Showing Network details

    Discovered network details via Submariner:

        Network plugin:  generic

        Service CIDRs:   [10.100.0.0/16]

        Cluster CIDRs:   [10.245.0.0/16]



 ✓ Showing versions 

COMPONENT                       REPOSITORY           CONFIGURED   RUNNING                     ARCH    

submariner-gateway              quay.io/submariner   0.18.0       release-0.18-e3f3e56b57fe   amd64   

submariner-routeagent           quay.io/submariner   0.18.0       release-0.18-e3f3e56b57fe   amd64   

submariner-metrics-proxy        quay.io/submariner   0.18.0       release-0.18-011349c6f17e   amd64   

submariner-operator             quay.io/submariner   0.18.0       release-0.18-68fefdd74105   amd64   

submariner-lighthouse-agent     quay.io/submariner   0.18.0       release-0.18-02b6a5b37266   amd64   

submariner-lighthouse-coredns   quay.io/submariner   0.18.0       release-0.18-02b6a5b37266   amd64   







subctl version: v0.18.0

and this is the output of subctl gather

hale@hale-VirtualBox:~$ subctl gather 

Cluster "member1"

Gathering information from cluster "member1"

 ✓ Gathering connectivity logs 

 ✓ Found 1 pods matching label selector "app=submariner-gateway"

 ✓ Found 1 pods matching label selector "app=submariner-routeagent"

 ✓ Found 1 pods matching label selector "app=submariner-metrics-proxy"

 ✓ Found 0 pods matching label selector "app=submariner-globalnet"

 ✓ Found 0 pods matching label selector "app=submariner-addon"

 ✓ Gathering connectivity resources 

 ✓ Gathering CNI data from 1 pods matching label selector "app=submariner-routeagent"

 ✓ Gathering CNI data from 1 pods matching label selector "app=submariner-gateway"

 ✓ Gathering cable driver data from 1 pods matching label selector "app=submariner-gateway"

 ✓ Found 2 endpoints in namespace "submariner-operator"

 ✓ Found 3 clusters in namespace "submariner-operator"

 ✓ Found 1 gateways in namespace "submariner-operator"

 ✓ Found 0 clusterglobalegressips in namespace ""

 ✓ Found 0 globalegressips in namespace ""

 ✓ Found 0 globalingressips in namespace ""

 ✓ Gathering service-discovery logs 

 ✓ Found 3 pods matching label selector "component=submariner-lighthouse"

 ✓ Found 1 pods matching label selector "k8s-app=kube-dns"

 ✓ Gathering service-discovery resources 

 ✓ Found 0 serviceexports in namespace ""

 ✓ Found 0 serviceimports in namespace ""

 ✓ Found 0 endpointslices by label selector "endpointslice.kubernetes.io/managed-by=lighthouse-agent.submariner.io" in namespace ""

 ✓ Found 1 configmaps by label selector "component=submariner-lighthouse" in namespace "submariner-operator"

 ✓ Found 1 configmaps by field selector "metadata.name=coredns" in namespace "kube-system"

 ✓ Found 0 services by label selector "submariner.io/exportedServiceRef" in namespace ""

 ✓ Gathering broker logs

 ✓ Gathering broker resources 

 ✓ Found 3 endpoints in namespace "submariner-k8s-broker"

 ✓ Found 3 clusters in namespace "submariner-k8s-broker"

 ✓ Found 0 endpointslices by label selector "endpointslice.kubernetes.io/managed-by=lighthouse-agent.submariner.io" in namespace "submariner-k8s-broker"

 ✓ Found 0 serviceimports in namespace "submariner-k8s-broker"

 ✓ Gathering operator logs

 ✓ Found 1 pods matching label selector "name=submariner-operator"

 ✓ Gathering operator resources 

 ✓ Found 1 submariners in namespace "submariner-operator"

 ✓ Found 1 servicediscoveries in namespace "submariner-operator"

 ✓ Found 1 deployments by field selector "metadata.name=submariner-operator" in namespace "submariner-operator"

 ✓ Found 1 daemonsets by label selector "app=submariner-gateway" in namespace "submariner-operator"

 ✓ Found 1 daemonsets by label selector "app=submariner-metrics-proxy" in namespace "submariner-operator"

 ✓ Found 1 daemonsets by label selector "app=submariner-routeagent" in namespace "submariner-operator"

 ✓ Found 0 daemonsets by label selector "app=submariner-globalnet" in namespace "submariner-operator"

 ✓ Found 1 deployments by label selector "app=submariner-lighthouse-agent" in namespace "submariner-operator"

 ✓ Found 1 deployments by label selector "app=submariner-lighthouse-coredns" in namespace "submariner-operator"

Files are stored under directory "submariner-20240910171903/member1"



Cluster "member2"

Gathering information from cluster "member2"

 ✓ Gathering connectivity logs 

 ✓ Found 1 pods matching label selector "app=submariner-gateway"

 ✓ Found 1 pods matching label selector "app=submariner-routeagent"

 ✓ Found 1 pods matching label selector "app=submariner-metrics-proxy"

 ✓ Found 0 pods matching label selector "app=submariner-globalnet"

 ✓ Found 0 pods matching label selector "app=submariner-addon"

 ✓ Gathering connectivity resources 

 ✓ Gathering CNI data from 1 pods matching label selector "app=submariner-routeagent"

 ✓ Gathering CNI data from 1 pods matching label selector "app=submariner-gateway"

 ✓ Gathering cable driver data from 1 pods matching label selector "app=submariner-gateway"

 ✓ Found 2 endpoints in namespace "submariner-operator"

 ✓ Found 3 clusters in namespace "submariner-operator"

 ✓ Found 1 gateways in namespace "submariner-operator"

 ✓ Found 0 clusterglobalegressips in namespace ""

 ✓ Found 0 globalegressips in namespace ""

 ✓ Found 0 globalingressips in namespace ""

 ✓ Gathering service-discovery logs 

 ✓ Found 3 pods matching label selector "component=submariner-lighthouse"

 ✓ Found 1 pods matching label selector "k8s-app=kube-dns"

 ✓ Gathering service-discovery resources 

 ✓ Found 0 serviceexports in namespace ""

 ✓ Found 0 serviceimports in namespace ""

 ✓ Found 0 endpointslices by label selector "endpointslice.kubernetes.io/managed-by=lighthouse-agent.submariner.io" in namespace ""

 ✓ Found 1 configmaps by label selector "component=submariner-lighthouse" in namespace "submariner-operator"

 ✓ Found 1 configmaps by field selector "metadata.name=coredns" in namespace "kube-system"

 ✓ Found 0 services by label selector "submariner.io/exportedServiceRef" in namespace ""

 ✓ Gathering broker logs

 ✓ Gathering broker resources 

 ✓ Found 3 endpoints in namespace "submariner-k8s-broker"

 ✓ Found 3 clusters in namespace "submariner-k8s-broker"

 ✓ Found 0 endpointslices by label selector "endpointslice.kubernetes.io/managed-by=lighthouse-agent.submariner.io" in namespace "submariner-k8s-broker"

 ✓ Found 0 serviceimports in namespace "submariner-k8s-broker"

 ✓ Gathering operator logs

 ✓ Found 1 pods matching label selector "name=submariner-operator"

 ✓ Gathering operator resources 

 ✓ Found 1 submariners in namespace "submariner-operator"

 ✓ Found 1 servicediscoveries in namespace "submariner-operator"

 ✓ Found 1 deployments by field selector "metadata.name=submariner-operator" in namespace "submariner-operator"

 ✓ Found 1 daemonsets by label selector "app=submariner-gateway" in namespace "submariner-operator"

 ✓ Found 1 daemonsets by label selector "app=submariner-metrics-proxy" in namespace "submariner-operator"

 ✓ Found 1 daemonsets by label selector "app=submariner-routeagent" in namespace "submariner-operator"

 ✓ Found 0 daemonsets by label selector "app=submariner-globalnet" in namespace "submariner-operator"

 ✓ Found 1 deployments by label selector "app=submariner-lighthouse-agent" in namespace "submariner-operator"

 ✓ Found 1 deployments by label selector "app=submariner-lighthouse-coredns" in namespace "submariner-operator"

Files are stored under directory "submariner-20240910171903/member2"



Cluster "karmada-cluster"

Gathering information from cluster "karmada-cluster"

 ✓ Gathering connectivity logs 

 ✓ Found 1 pods matching label selector "app=submariner-gateway"

 ✓ Found 1 pods matching label selector "app=submariner-routeagent"

 ✓ Found 1 pods matching label selector "app=submariner-metrics-proxy"

 ✓ Found 0 pods matching label selector "app=submariner-globalnet"

 ✓ Found 0 pods matching label selector "app=submariner-addon"

 ✓ Gathering connectivity resources 

 ✓ Gathering CNI data from 1 pods matching label selector "app=submariner-routeagent"

 ✓ Gathering CNI data from 1 pods matching label selector "app=submariner-gateway"

 ✓ Gathering cable driver data from 1 pods matching label selector "app=submariner-gateway"

 ✓ Found 1 endpoints in namespace "submariner-operator"

 ✓ Found 3 clusters in namespace "submariner-operator"

 ✓ Found 1 gateways in namespace "submariner-operator"

 ✓ Found 0 clusterglobalegressips in namespace ""

 ✓ Found 0 globalegressips in namespace ""

 ✓ Found 0 globalingressips in namespace ""

 ✓ Gathering service-discovery logs 

 ✓ Found 3 pods matching label selector "component=submariner-lighthouse"

 ✓ Found 1 pods matching label selector "k8s-app=kube-dns"

 ✓ Gathering service-discovery resources 

 ✓ Found 0 serviceexports in namespace ""

 ✓ Found 0 serviceimports in namespace ""

 ✓ Found 0 endpointslices by label selector "endpointslice.kubernetes.io/managed-by=lighthouse-agent.submariner.io" in namespace ""

 ✓ Found 1 configmaps by label selector "component=submariner-lighthouse" in namespace "submariner-operator"

 ✓ Found 1 configmaps by field selector "metadata.name=coredns" in namespace "kube-system"

 ✓ Found 0 services by label selector "submariner.io/exportedServiceRef" in namespace ""

 ✓ Gathering broker logs

 ✓ Gathering broker resources 

 ✓ Found 3 endpoints in namespace "submariner-k8s-broker"

 ✓ Found 3 clusters in namespace "submariner-k8s-broker"

 ✓ Found 0 endpointslices by label selector "endpointslice.kubernetes.io/managed-by=lighthouse-agent.submariner.io" in namespace "submariner-k8s-broker"

 ✓ Found 0 serviceimports in namespace "submariner-k8s-broker"

 ✓ Gathering operator logs 

 ✓ Found 1 pods matching label selector "name=submariner-operator"

 ✓ Gathering operator resources 

 ✓ Found 1 submariners in namespace "submariner-operator"

 ✓ Found 1 servicediscoveries in namespace "submariner-operator"

 ✓ Found 1 deployments by field selector "metadata.name=submariner-operator" in namespace "submariner-operator"

 ✓ Found 1 daemonsets by label selector "app=submariner-gateway" in namespace "submariner-operator"

 ✓ Found 1 daemonsets by label selector "app=submariner-metrics-proxy" in namespace "submariner-operator"

 ✓ Found 1 daemonsets by label selector "app=submariner-routeagent" in namespace "submariner-operator"

 ✓ Found 0 daemonsets by label selector "app=submariner-globalnet" in namespace "submariner-operator"

 ✓ Found 1 deployments by label selector "app=submariner-lighthouse-agent" in namespace "submariner-operator"

 ✓ Found 1 deployments by label selector "app=submariner-lighthouse-coredns" in namespace "submariner-operator"

Files are stored under directory "submariner-20240910171903/karmada-cluster"

[halekammoun]

@tpantelis @yboaron
this is the logs of the gateway member1 & member2

hale@hale-VirtualBox:~$ kubectl logs submariner-gateway-gcjqn -n submariner-operator --context member2 | tail

2024-09-10T18:47:45.506Z DBG ..reswan/libreswan.go:268 libreswan            Connection "submariner-cable-member1-192-168-49-2-0-0" not found in active connections obtained from whack: map[], map[]

2024-09-10T18:47:45.506Z DBG ..reswan/libreswan.go:268 libreswan            Connection "submariner-cable-member1-192-168-49-2-0-1" not found in active connections obtained from whack: map[], map[]

2024-09-10T18:47:45.506Z DBG ..reswan/libreswan.go:268 libreswan            Connection "submariner-cable-member1-192-168-49-2-1-0" not found in active connections obtained from whack: map[], map[]

2024-09-10T18:47:45.506Z DBG ..reswan/libreswan.go:268 libreswan            Connection "submariner-cable-member1-192-168-49-2-1-1" not found in active connections obtained from whack: map[], map[]

2024-09-10T18:47:45.506Z DBG ..reswan/libreswan.go:282 libreswan            Connection "submariner-cable-member1-192-168-49-2" not found in active connections obtained from whack: map[], map[]

2024-09-10T18:47:50.590Z DBG ..reswan/libreswan.go:268 libreswan            Connection "submariner-cable-member1-192-168-49-2-0-0" not found in active connections obtained from whack: map[], map[]

2024-09-10T18:47:50.592Z DBG ..reswan/libreswan.go:268 libreswan            Connection "submariner-cable-member1-192-168-49-2-0-1" not found in active connections obtained from whack: map[], map[]

2024-09-10T18:47:50.592Z DBG ..reswan/libreswan.go:268 libreswan            Connection "submariner-cable-member1-192-168-49-2-1-0" not found in active connections obtained from whack: map[], map[]

2024-09-10T18:47:50.592Z DBG ..reswan/libreswan.go:268 libreswan            Connection "submariner-cable-member1-192-168-49-2-1-1" not found in active connections obtained from whack: map[], map[]

2024-09-10T18:47:50.592Z DBG ..reswan/libreswan.go:282 libreswan            Connection "submariner-cable-member1-192-168-49-2" not found in active connections obtained from whack: map[], map[]

hale@hale-VirtualBox:~$ kubectl logs submariner-gateway-rnjwf -n submariner-operator --context member1 | tail

2024-09-10T18:48:39.284Z DBG ..reswan/libreswan.go:268 libreswan            Connection "submariner-cable-member2-192-168-58-2-0-0" not found in active connections obtained from whack: map[], map[]

2024-09-10T18:48:39.284Z DBG ..reswan/libreswan.go:268 libreswan            Connection "submariner-cable-member2-192-168-58-2-0-1" not found in active connections obtained from whack: map[], map[]

2024-09-10T18:48:39.284Z DBG ..reswan/libreswan.go:268 libreswan            Connection "submariner-cable-member2-192-168-58-2-1-0" not found in active connections obtained from whack: map[], map[]

2024-09-10T18:48:39.284Z DBG ..reswan/libreswan.go:268 libreswan            Connection "submariner-cable-member2-192-168-58-2-1-1" not found in active connections obtained from whack: map[], map[]

2024-09-10T18:48:39.284Z DBG ..reswan/libreswan.go:282 libreswan            Connection "submariner-cable-member2-192-168-58-2" not found in active connections obtained from whack: map[], map[]

2024-09-10T18:48:44.387Z DBG ..reswan/libreswan.go:268 libreswan            Connection "submariner-cable-member2-192-168-58-2-0-0" not found in active connections obtained from whack: map[], map[]

2024-09-10T18:48:44.387Z DBG ..reswan/libreswan.go:268 libreswan            Connection "submariner-cable-member2-192-168-58-2-0-1" not found in active connections obtained from whack: map[], map[]

2024-09-10T18:48:44.387Z DBG ..reswan/libreswan.go:268 libreswan            Connection "submariner-cable-member2-192-168-58-2-1-0" not found in active connections obtained from whack: map[], map[]

2024-09-10T18:48:44.387Z DBG ..reswan/libreswan.go:268 libreswan            Connection "submariner-cable-member2-192-168-58-2-1-1" not found in active connections obtained from whack: map[], map[]

2024-09-10T18:48:44.387Z DBG ..reswan/libreswan.go:282 libreswan            Connection "submariner-cable-member2-192-168-58-2" not found in active connections obtained from whack: map[], map[]

[tpantelis]

Sorry - I didn’t mean the actual console output from subctl gather but the files that it outputs which includes the pod logs.

[halekammoun]

@tpantelis i'm sorry! here is the folder
submariner-20240910185521.zip

[tpantelis]

I can see from the logs that the IPsec tunnels are set up in the OS but they never go active:

Connection "submariner-cable-member2-192-168-58-2-0-1" not found in active connections obtained from whack

Perhaps there's a firewall preventing traffic between them? I know certain port(s) have to be open but I'll let the dataplane experts chime in. @yboaron @aswinsuryan

[yboaron]

From GW pod logs it seems that NatDiscovery failed [1] on both clusters ,
Can you verify that submariner firewall prerequisites are supported ?

You can use [2] subctl command to verify inter-cluster firewall prerequisites

[1]
USING_SRC: 192.168.58.2:4490, USING_DST: 41.227.8.45:4490 �[90m2024-09-10T17:02:18.124Z�[0m DBG ..ery/request_send.go:117 NAT Sending request - REQUEST_NUMBER: 0x25310406a19d650f, SENDER: "submariner-cable-member2-192-168-58-2", RECEIVER: "submariner-cable-member1-192-168-49-2", USING_SRC: 192.168.58.2:4490, USING_DST: 192.168.49.2:4490 �[90m2024-09-10T17:02:18.124Z�[0m DBG ..ery/request_send.go:117 NAT Sending request - REQUEST_NUMBER: 0x25310406a19d6510, SENDER: "submariner-cable-member2-192-168-58-2", RECEIVER: "submariner-cable-member1-192-168-49-2", USING_SRC: 192.168.58.2:4490, USING_DST: 41.227.8.45:4490 �[90m2024-09-10T17:02:20.125Z�[0m �[33mWRN�[0m ..ery/natdiscovery.go:166 �[1mNAT NAT discovery for endpoint "submariner-cable-member1-192-168-49-2" has timed out�[0m

[2]

subctl diagnose firewall inter-cluster --context <localcontext> --remotecontext <remotecontext>

[halekammoun]

yes i followed firewall prerequisites
i'm using just one vm should i set natt=true?

hale@hale-VirtualBox:~$ subctl diagnose firewall inter-cluster --context member1 --remotecontext member2

 ✓ Checking if tunnels can be setup on the gateway node of cluster "member1"

 ✓ Skipping this check as it's a single node cluster

 ✓ Tunnels can be established on the gateway node of cluster "member1"

hale@hale-VirtualBox:~$ subctl diagnose firewall inter-cluster --context member2 --remotecontext member1

 ✓ Checking if tunnels can be setup on the gateway node of cluster "member2"

 ✓ Skipping this check as it's a single node cluster

 ✓ Tunnels can be established on the gateway node of cluster "member2"

[yboaron]

A.
I can see that Submariner RouteAgent pod failed to discover the CNI interface (interface with IP address from pod CIDR range) , Submariner uses CNI if IP address to set SNAT rule to allow hostnetworling to remote cluster connectivity, so without discovering CNI interface hostnetworking to remote cluster support will be broken.
which CNI do you use ?

B.
Also noticed that Submariner GW uses private IPs (192.168.49.2, 192.168.58.2) for inter-cluster connectivity, to force IPSec traffic to be UDP-encapsulated (port 4500) add --force-udp-encaps to subctl join command.

C.
subctl diagnose firewall inter-cluster isn't supported for single node clusters , so we need to find another way to verify that Submariner inter-cluster traffic is allowed.
So, you can either change to multi-nodes clusters and run subctl diagnose firewall inter-cluster or just sniff traffic on GW nodes and verify submariner inter-cluster traffic (udp port 4500,4490) sent/received.