Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-30202

Submariner connection degraded The connection between clusters is not established (status=connecting)

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Blocker Blocker
    • None
    • ACM 2.16.0
    • Multicluster Networking
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • None

      Description of problem:

      Submariner connection degraded The connection between clusters is not established (status=connecting)

      Version-Release number of selected component (if applicable):

      OCP:- 4.21.0

      submariner:- 0.21 and 0.22

      How reproducible:

      Deploy submariner between hcp having ocp version 4.21.0

      Steps to Reproduce:

      1. Deploy hcp on kubevirt vm with 4.21.0
      2.  Create submarine connection between hcp 
      3. check UI for status

      Actual results:

      This is when used 0.21 submariner

      Defaulted container "submariner-gateway" out of: submariner-gateway, submariner-gateway-init (init)
+ trap 'exit 1' SIGTERM SIGINT
+ export CHARON_PID_FILE=/var/run/charon.pid
+ CHARON_PID_FILE=/var/run/charon.pid
+ rm -f /var/run/charon.pid
+ SUBMARINER_VERBOSITY=2
+ '[' false == true ']'
+ DEBUG=-v=2
++ cat /proc/sys/net/ipv4/conf/all/send_redirects
+ [[ 0 = 0 ]]
+ exec submariner-gateway -v=2 -alsologtostderr
submariner-gateway version: release-0.21
2026-02-17T07:52:11.592Z INF ../versions/version.go:34 main                 Go Version: go1.24.6 (Red Hat 1.24.6-1.el9_6) X:strictfipsruntime
2026-02-17T07:52:11.592Z INF ../versions/version.go:35 main                 Go Arch: amd64
2026-02-17T07:52:11.592Z INF ../versions/version.go:36 main                 Git Commit Hash: 4e155393
2026-02-17T07:52:11.592Z INF ../versions/version.go:37 main                 Git Commit Date:
2026-02-17T07:52:11.593Z INF ..o/submariner/main.go:94 main                 Parsed env variables: types.SubmarinerSpecification{ClusterCidr:[]string{"10.132.0.0/14"}, GlobalCidr:[]string{"242.0.0.0/16"}, ServiceCidr:[]string{"172.31.0.0/16"}, Broker:"k8s", CableDriver:"libreswan", ClusterID:"dr-bm5c1", Namespace:"submariner-operator", PublicIP:"lb:submariner-gateway", Token:"", Debug:false, NATEnabled:false, HealthCheckEnabled:true, Uninstall:false, HaltOnCertError:true, HealthCheckInterval:1, HealthCheckMaxPacketLossCount:5, MetricsPort:32780}
2026-02-17T07:52:11.593Z INF ..o/submariner/main.go:97 main                 Proxy env variables: HTTP_PROXY: , HTTPS_PROXY: , NO_PROXY:
W0217 07:52:11.593216       1 client_config.go:667] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
I0217 07:52:11.594451       1 envvar.go:172] "Feature gate default state" feature="InformerResourceVersion" enabled=false
I0217 07:52:11.594488       1 envvar.go:172] "Feature gate default state" feature="InOrderInformers" enabled=true
I0217 07:52:11.594495       1 envvar.go:172] "Feature gate default state" feature="WatchListClient" enabled=false
I0217 07:52:11.594500       1 envvar.go:172] "Feature gate default state" feature="ClientsAllowCBOR" enabled=false
I0217 07:52:11.594506       1 envvar.go:172] "Feature gate default state" feature="ClientsPreferCBOR" enabled=false
2026-02-17T07:52:11.617Z INF ../gateway/gateway.go:109 Gateway              Initializing the gateway engine
2026-02-17T07:52:11.617Z INF ../gateway/gateway.go:135 Gateway              Creating the cable engine
2026-02-17T07:52:11.617Z INF ../gateway/gateway.go:146 Gateway              AIR_GAPPED_DEPLOYMENT is set to false
2026-02-17T07:52:11.628Z INF ..t/local_endpoint.go:203 Endpoint             Obtained local endpoint public IPv4 "150.238.22.177" using resolver "lb:submariner-gateway"
2026-02-17T07:52:11.628Z INF ../gateway/gateway.go:162 Gateway              Creating the datastore syncer
2026-02-17T07:52:11.628Z INF ../gateway/gateway.go:189 Gateway              Starting the gateway engine
2026-02-17T07:52:11.629Z DBG ..ery/natdiscovery.go:121 NAT                  NAT discovery server starting on port 4490
2026-02-17T07:52:11.629Z INF ..iscovery/listener.go:49 NAT                  NAT discovery started listener for IPv4
2026-02-17T07:52:11.652Z INF ../gateway/gateway.go:248 Gateway              Starting leader election
I0217 07:52:11.652316       1 leaderelection.go:257] attempting to acquire leader lease submariner-operator/submariner-gateway-lock...
I0217 07:52:11.661870       1 leaderelection.go:271] successfully acquired lease submariner-operator/submariner-gateway-lock
2026-02-17T07:52:11.661Z DBG ..ols/record/event.go:377 Gateway              Event(v1.ObjectReference{Kind:"Lease", Namespace:"submariner-operator", Name:"submariner-gateway-lock", UID:"df3646b0-a6de-471f-ad8f-a59afd3091b1", APIVersion:"coordination.k8s.io/v1", ResourceVersion:"2741327", FieldPath:""}): type: 'Normal' reason: 'LeaderElection' bm5c1-zl2j8-br59b-submariner-gateway became leader
2026-02-17T07:52:11.662Z INF ../gateway/gateway.go:284 Gateway              Leadership acquired - starting controllers
2026-02-17T07:52:11.662Z INF ..reswan/libreswan.go:154 libreswan            Using NATT UDP port 4500
2026-02-17T07:52:11.663Z INF ..gine/cableengine.go:112 CableEngine          CableEngine started with driver "libreswan"
2026-02-17T07:52:11.663Z INF ..public_ip_watcher.go:58 Endpoint             Starting the public IP watcher.
2026-02-17T07:52:11.663Z INF ..r/datastoresyncer.go:70 DSSyncer             Starting the datastore syncer
2026-02-17T07:52:11.663Z INF ../gateway/gateway.go:356 Gateway              Updating Gateway pod HA status to "active"
2026-02-17T07:52:11.663Z INF ..ers/tunnel/tunnel.go:49 Tunnel               Starting the tunnel controller
I0217 07:52:11.686802       1 reflector.go:430] "Caches populated" type="submariner.io/v1, Kind=Endpoint" reflector="pkg/mod/k8s.io/client-go@v0.33.5/tools/cache/reflector.go:285"
I0217 07:52:11.686906       1 reflector.go:430] "Caches populated" type="submariner.io/v1, Kind=Endpoint" reflector="pkg/mod/k8s.io/client-go@v0.33.5/tools/cache/reflector.go:285"
2026-02-17T07:52:11.695Z INF ../gateway/gateway.go:377 Gateway              Successfully updated Gateway pod HA status to "active"
2026-02-17T07:52:11.785Z INF ..ker/healthchecker.go:93 HealthChecker        CableEngine HealthChecker started with SupportedIPFamilies: ["4"], PingInterval: 1, MaxPacketLossCount: 5
I0217 07:52:11.895453       1 reflector.go:430] "Caches populated" type="submariner.io/v1, Kind=Cluster" reflector="pkg/mod/k8s.io/client-go@v0.33.5/tools/cache/reflector.go:285"
I0217 07:52:11.995403       1 reflector.go:430] "Caches populated" type="submariner.io/v1, Kind=Endpoint" reflector="pkg/mod/k8s.io/client-go@v0.33.5/tools/cache/reflector.go:285"
I0217 07:52:12.029122       1 reflector.go:430] "Caches populated" type="submariner.io/v1, Kind=Cluster" reflector="pkg/mod/k8s.io/client-go@v0.33.5/tools/cache/reflector.go:285"
2026-02-17T07:52:12.053Z INF .._update_federator.go:68 Federator            broker -> local: Created Cluster "submariner-operator/dr-bm3c1"
2026-02-17T07:52:12.094Z INF ../datastoresyncer.go:208 DSSyncer             Ensuring we are the only endpoint active for this cluster
2026-02-17T07:52:12.094Z INF ../datastoresyncer.go:266 DSSyncer             Creating local submariner Cluster: {
  "id": "dr-bm5c1",
  "spec": {
    "cluster_id": "dr-bm5c1",
    "color_codes": [
      "blue"
    ],
    "service_cidr": [
      "172.31.0.0/16"
    ],
    "cluster_cidr": [
      "10.132.0.0/14"
    ],
    "global_cidr": [
      "242.0.0.0/16"
    ]
  }
}
2026-02-17T07:52:12.105Z INF .._update_federator.go:68 Federator            broker -> local: Created Cluster "submariner-operator/dr-bm5c1"
2026-02-17T07:52:12.106Z INF ../datastoresyncer.go:279 DSSyncer             Creating local submariner Endpoint: {
  "metadata": {
    "name": "dr-bm5c1-submariner-cable-dr-bm5c1-10-129-1-237",
    "creationTimestamp": null
  },
  "spec": {
    "cluster_id": "dr-bm5c1",
    "cable_name": "submariner-cable-dr-bm5c1-10-129-1-237",
    "hostname": "bm5c1-zl2j8-br59b",
    "subnets": [
      "242.0.0.0/16"
    ],
    "private_ip": "10.129.1.237",
    "privateIPs": [
      "10.129.1.237"
    ],
    "public_ip": "150.238.22.177",
    "publicIPs": [
      "150.238.22.177"
    ],
    "nat_enabled": false,
    "backend": "libreswan",
    "backend_config": {
      "natt-discovery-port": "4490",
      "preferred-server": "true",
      "preferred-server-timestamp": "1771314731",
      "udp-port": "4500",
      "using-loadbalancer": "true"
    }
  }
}
I0217 07:52:12.120208       1 reflector.go:430] "Caches populated" type="submariner.io/v1, Kind=Gateway" reflector="pkg/mod/k8s.io/client-go@v0.33.5/tools/cache/reflector.go:285"
I0217 07:52:12.128862       1 reflector.go:430] "Caches populated" type="submariner.io/v1, Kind=Endpoint" reflector="pkg/mod/k8s.io/client-go@v0.33.5/tools/cache/reflector.go:285"
2026-02-17T07:52:12.141Z INF .._update_federator.go:68 Federator            broker -> local: Created Endpoint "submariner-operator/dr-bm3c1-submariner-cable-dr-bm3c1-10-130-0-119"
2026-02-17T07:52:12.142Z INF ..kg/pinger/pinger.go:125 Pinger               Starting pinger for IP "242.1.255.254"
2026-02-17T07:52:12.142Z INF ..ery/natdiscovery.go:162 NAT                  Starting NAT discovery for endpoint "submariner-cable-dr-bm3c1-10-130-0-119"
2026-02-17T07:52:12.142Z INF ..inger/controller.go:107 Pinger               HealthChecker started pinger for CableName: "submariner-cable-dr-bm3c1-10-130-0-119-v4" with HealthCheckIP "242.1.255.254"
2026-02-17T07:52:12.183Z INF .._update_federator.go:68 Federator            local -> broker: Created Cluster "clusterset-submariner-4492b8428fc34f7cbc-broker/dr-bm5c1"
2026-02-17T07:52:12.194Z INF .._update_federator.go:68 Federator            local -> broker: Created Endpoint "clusterset-submariner-4492b8428fc34f7cbc-broker/dr-bm5c1-submariner-cable-dr-bm5c1-10-129-1-237"
2026-02-17T07:52:12.218Z INF ../datastoresyncer.go:100 DSSyncer             Datastore syncer started
2026-02-17T07:52:12.630Z DBG ..ery/request_send.go:117 NAT                  Sending request - REQUEST_NUMBER: 0x2328b4d3c9ea673e, SENDER: "submariner-cable-dr-bm5c1-10-129-1-237-v4", RECEIVER: "submariner-cable-dr-bm3c1-10-130-0-119-v4", USING_SRC: 10.129.1.237:4490, USING_DST: 10.130.0.119:4490
2026-02-17T07:52:12.631Z DBG ..ery/request_send.go:117 NAT                  Sending request - REQUEST_NUMBER: 0x2328b4d3c9ea673f, SENDER: "submariner-cable-dr-bm5c1-10-129-1-237-v4", RECEIVER: "submariner-cable-dr-bm3c1-10-130-0-119-v4", USING_SRC: 10.129.1.237:4490, USING_DST: 52.118.43.177:4490
2026-02-17T07:52:14.632Z DBG ..ery/request_send.go:117 NAT                  Sending request - REQUEST_NUMBER: 0x2328b4d3c9ea6740, SENDER: "submariner-cable-dr-bm5c1-10-129-1-237-v4", RECEIVER: "submariner-cable-dr-bm3c1-10-130-0-119-v4", USING_SRC: 10.129.1.237:4490, USING_DST: 10.130.0.119:4490
2026-02-17T07:52:14.632Z DBG ..ery/request_send.go:117 NAT                  Sending request - REQUEST_NUMBER: 0x2328b4d3c9ea6741, SENDER: "submariner-cable-dr-bm5c1-10-129-1-237-v4", RECEIVER: "submariner-cable-dr-bm3c1-10-130-0-119-v4", USING_SRC: 10.129.1.237:4490, USING_DST: 52.118.43.177:4490
2026-02-17T07:52:14.646Z INF ..r/gateway_handler.go:58 DSSyncer             Global IP for node "bm5c1-zl2j8-br59b" changed from "" to "242.0.255.254"
2026-02-17T07:52:14.648Z INF ..r/gateway_handler.go:67 DSSyncer             Updating the endpoint HealthCheckIP to globalIP "242.0.255.254"
2026-02-17T07:52:14.744Z INF .._update_federator.go:71 Federator            local -> broker: Updated Endpoint "clusterset-submariner-4492b8428fc34f7cbc-broker/dr-bm5c1-submariner-cable-dr-bm5c1-10-129-1-237"
2026-02-17T07:52:16.634Z DBG ..ery/request_send.go:117 NAT                  Sending request - REQUEST_NUMBER: 0x2328b4d3c9ea6742, SENDER: "submariner-cable-dr-bm5c1-10-129-1-237-v4", RECEIVER: "submariner-cable-dr-bm3c1-10-130-0-119-v4", USING_SRC: 10.129.1.237:4490, USING_DST: 10.130.0.119:4490
2026-02-17T07:52:16.634Z DBG ..ery/request_send.go:117 NAT                  Sending request - REQUEST_NUMBER: 0x2328b4d3c9ea6743, SENDER: "submariner-cable-dr-bm5c1-10-129-1-237-v4", RECEIVER: "submariner-cable-dr-bm3c1-10-130-0-119-v4", USING_SRC: 10.129.1.237:4490, USING_DST: 52.118.43.177:4490
2026-02-17T07:52:18.144Z ERR ..kg/pinger/pinger.go:180 Pinger               Failed to successfully ping the remote endpoint IP "242.1.255.254" error="more than 5 packets lost"
2026-02-17T07:52:18.636Z WRN ..ery/natdiscovery.go:186 NAT                  NAT discovery for endpoint "submariner-cable-dr-bm3c1-10-130-0-119-v4" has timed out
2026-02-17T07:52:18.636Z DBG ../remote_endpoint.go:119 NAT                  using NAT for the load balancer backed endpoint "submariner-cable-dr-bm3c1-10-130-0-119-v4", using public IP "52.118.43.177"
2026-02-17T07:52:18.636Z INF ..gine/cableengine.go:232 CableEngine          Installing IPv4 Endpoint cable "submariner-cable-dr-bm3c1-10-130-0-119"
2026-02-17T07:52:18.636Z INF ..reswan/libreswan.go:612 libreswan            Starting Pluto
Initializing NSS database/usr/sbin/ipsec: line 171: iptables: command not found
nflog ipsec capture disabled
002 listening for IKE messages
002 forgetting secrets
002 loading secrets from "/etc/ipsec.secrets"
002 loading secrets from "/etc/ipsec.d/submariner.secrets"
2026-02-17T07:52:18.853Z INF ..reswan/libreswan.go:390 libreswan            Creating IPv4 connection(s) for {"metadata":{"name":"dr-bm3c1-submariner-cable-dr-bm3c1-10-130-0-119","namespace":"submariner-operator","uid":"8380e3bc-0a55-4bd1-a7e3-7e1c50298831","resourceVersion":"2741373","generation":1,"creationTimestamp":"2026-02-17T07:52:12Z","labels":{"submariner-io/clusterID":"dr-bm3c1"}},"spec":{"cluster_id":"dr-bm3c1","cable_name":"submariner-cable-dr-bm3c1-10-130-0-119","healthCheckIP":"242.1.255.254","healthCheckIPs":["242.1.255.254"],"hostname":"bm3c1-ptwlw-7nh2f","subnets":["242.1.0.0/16"],"private_ip":"10.130.0.119","privateIPs":["10.130.0.119"],"public_ip":"52.118.43.177","publicIPs":["52.118.43.177"],"nat_enabled":false,"backend":"libreswan","backend_config":{"natt-discovery-port":"4490","preferred-server":"true","preferred-server-timestamp":"1771314479","udp-port":"4500","using-loadbalancer":"true"}}} in server mode
2026-02-17T07:52:18.853Z INF ..reswan/libreswan.go:506 libreswan            serverConnectToEndpoint: executing whack with args: [--psk --encrypt --encaps=yes --name submariner-cable-dr-bm3c1-10-130-0-119-v4-0-0 --ipv4 --id @10.129.1.237-0-0 --host 10.129.1.237 --client 242.0.0.0/16 --ikeport 4500 --to --id @10.130.0.119-0-0 --host %any --client 242.1.0.0/16 --dpdaction=hold --dpddelay 30]
002 "submariner-cable-dr-bm3c1-10-130-0-119-v4-0-0": added IKEv2 connection
2026-02-17T07:52:18.862Z INF ..gine/cableengine.go:239 CableEngine          Successfully installed IPv4 Endpoint cable "submariner-cable-dr-bm3c1-10-130-0-119" with remote IP 52.118.43.177
2026-02-17T07:52:21.702Z DBG ..reswan/libreswan.go:288 libreswan            Connection "submariner-cable-dr-bm3c1-10-130-0-119-v4-0-0" not found in active connections obtained from whack: map[], map[]
2026-02-17T07:52:21.703Z DBG ..reswan/libreswan.go:304 libreswan            Connection "submariner-cable-dr-bm3c1-10-130-0-119" not found in active connections obtained from whack: map[], map[]
2026-02-17T07:52:26.739Z DBG ..reswan/libreswan.go:288 libreswan            Connection "submariner-cable-dr-bm3c1-10-130-0-119-v4-0-0" not found in active connections obtained from whack: map[], map[]
2026-02-17T07:52:26.739Z DBG ..reswan/libreswan.go:304 libreswan            Connection "submariner-cable-dr-bm3c1-10-130-0-119" not found in active connections obtained from whack: map[], map[]
2026-02-17T07:52:31.871Z DBG ..reswan/libreswan.go:288 libreswan            Connection "submariner-cable-dr-bm3c1-10-130-0-119-v4-0-0" not found in active connections obtained from whack: map[], map[]
2026-02-17T07:52:31.872Z DBG ..reswan/libreswan.go:304 libreswan            Connection "submariner-cable-dr-bm3c1-10-130-0-119" not found in active connections obtained from whack: map[], map[]
2026-02-17T07:52:36.910Z DBG ..reswan/libreswan.go:288 libreswan            Connection "submariner-cable-dr-bm3c1-10-130-0-119-v4-0-0" not found in active connections obtained from whack: map[], map[]
2026-02-17T07:52:36.910Z DBG ..reswan/libreswan.go:304 libreswan            Connection "submariner-cable-dr-bm3c1-10-130-0-119" not found in active connections obtained from whack: map[], map[]
2026-02-17T07:52:41.951Z DBG ..reswan/libreswan.go:288 libreswan            Connection "submariner-cable-dr-bm3c1-10-130-0-119-v4-0-0" not found in active connections obtained from whack: map[], map[]
2026-02-17T07:52:41.951Z DBG ..reswan/libreswan.go:304 libreswan            Connection "submariner-cable-dr-bm3c1-10-130-0-119" not found in active connections obtained from whack: map[], map[]
2026-02-17T07:52:47.029Z DBG ..reswan/libreswan.go:288 libreswan            Connection "submariner-cable-dr-bm3c1-10-130-0-119-v4-0-0" not found in active connections obtained from whack: map[], map[]
2026-02-17T07:52:47.029Z DBG ..reswan/libreswan.go:304 libreswan            Connection "submariner-cable-dr-bm3c1-10-130-0-119" not found in active connections obtained from whack: map[], map[]
2026-02-17T07:52:52.063Z DBG ..reswan/libreswan.go:288 libreswan            Connection "submariner-cable-dr-bm3c1-10-130-0-119-v4-0-0" not found in active connections obtained from whack: map[], map[]
2026-02-17T07:52:52.063Z DBG ..reswan/libreswan.go:304 libreswan            Connection "submariner-cable-dr-bm3c1-10-130-0-119" not found in active connections obtained from whack: map[], map[]

       

      This is when 0.22 submariner is used

       

      Defaulted container "submariner-gateway" out of: submariner-gateway, submariner-gateway-init (init)
+ trap 'exit 1' SIGTERM SIGINT
+ export CHARON_PID_FILE=/var/run/charon.pid
+ CHARON_PID_FILE=/var/run/charon.pid
+ rm -f /var/run/charon.pid
+ SUBMARINER_VERBOSITY=2
+ '[' false == true ']'
+ DEBUG=-v=2
++ cat /proc/sys/net/ipv4/conf/all/send_redirects
+ [[ 0 = 0 ]]
+ exec submariner-gateway -v=2 -alsologtostderr
submariner-gateway version: release-0.22
2026-02-17T08:01:33.289Z INF ../versions/version.go:34 main                 Go Version: go1.25.3 (Red Hat 1.25.3-1.el9_7) X:strictfipsruntime
2026-02-17T08:01:33.289Z INF ../versions/version.go:35 main                 Go Arch: amd64
2026-02-17T08:01:33.289Z INF ../versions/version.go:36 main                 Git Commit Hash: 9653e034
2026-02-17T08:01:33.289Z INF ../versions/version.go:37 main                 Git Commit Date:
2026-02-17T08:01:33.289Z INF ..o/submariner/main.go:99 main                 Parsed env variables: types.SubmarinerSpecification{ClusterCidr:[]string{"10.132.0.0/14"}, GlobalCidr:[]string{"242.1.0.0/16"}, ServiceCidr:[]string{"172.31.0.0/16"}, Broker:"k8s", CableDriver:"libreswan", ClusterID:"dr-bm3c1", Namespace:"submariner-operator", PublicIP:"lb:submariner-gateway", Token:"", Debug:false, NATEnabled:false, HealthCheckEnabled:true, Uninstall:false, HaltOnCertError:true, HealthCheckInterval:1, HealthCheckMaxPacketLossCount:5, MetricsPort:32780}
2026-02-17T08:01:33.289Z INF ../submariner/main.go:102 main                 Proxy env variables: HTTP_PROXY: , HTTPS_PROXY: , NO_PROXY:
W0217 08:01:33.289973       1 client_config.go:667] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
I0217 08:01:33.290478       1 envvar.go:172] "Feature gate default state" feature="WatchListClient" enabled=false
I0217 08:01:33.290501       1 envvar.go:172] "Feature gate default state" feature="ClientsAllowCBOR" enabled=false
I0217 08:01:33.290506       1 envvar.go:172] "Feature gate default state" feature="ClientsPreferCBOR" enabled=false
I0217 08:01:33.290512       1 envvar.go:172] "Feature gate default state" feature="InOrderInformers" enabled=true
I0217 08:01:33.290516       1 envvar.go:172] "Feature gate default state" feature="InformerResourceVersion" enabled=false
2026-02-17T08:01:33.314Z INF ..igmap/config_map.go:113 ConfigMap            Started watcher for ConfigMaps [submariner-gateway]
2026-02-17T08:01:33.314Z INF ../gateway/gateway.go:112 Gateway              Initializing the gateway engine
2026-02-17T08:01:33.314Z INF ../gateway/gateway.go:138 Gateway              Creating the cable engine
2026-02-17T08:01:33.314Z INF ../gateway/gateway.go:149 Gateway              AIR_GAPPED_DEPLOYMENT is set to false
I0217 08:01:33.315636       1 reflector.go:436] "Caches populated" type="*v1.ConfigMap" reflector="pkg/mod/k8s.io/client-go@v0.34.1/tools/cache/reflector.go:290"
2026-02-17T08:01:33.319Z INF ..dpoint/public_ip.go:230 Endpoint             Waiting for LoadBalancer to be ready: service "submariner-gateway" doesn't contain any LoadBalancer ingress yet
2026-02-17T08:01:38.329Z INF ..t/local_endpoint.go:203 Endpoint             Obtained local endpoint public IPv4 "52.118.43.177" using resolver "lb:submariner-gateway"
2026-02-17T08:01:38.329Z INF ../gateway/gateway.go:163 Gateway              Creating the datastore syncer
2026-02-17T08:01:38.330Z INF ../gateway/gateway.go:193 Gateway              Starting the gateway engine
2026-02-17T08:01:38.330Z DBG ..ery/natdiscovery.go:122 NAT                  NAT discovery server starting on port 4490
2026-02-17T08:01:38.330Z INF ..iscovery/listener.go:49 NAT                  NAT discovery started listener for IPv4
2026-02-17T08:01:38.355Z INF ../gateway/gateway.go:252 Gateway              Starting leader election
I0217 08:01:38.355573       1 leaderelection.go:257] attempting to acquire leader lease submariner-operator/submariner-gateway-lock...
I0217 08:01:38.364183       1 leaderelection.go:271] successfully acquired lease submariner-operator/submariner-gateway-lock
2026-02-17T08:01:38.364Z INF ../gateway/gateway.go:288 Gateway              Leadership acquired - starting controllers
2026-02-17T08:01:38.364Z DBG ..ols/record/event.go:377 Gateway              Event(v1.ObjectReference{Kind:"Lease", Namespace:"submariner-operator", Name:"submariner-gateway-lock", UID:"560ea7b5-d0a5-4e27-90fb-96bac23d29d3", APIVersion:"coordination.k8s.io/v1", ResourceVersion:"2600047", FieldPath:""}): type: 'Normal' reason: 'LeaderElection' bm3c1-ptwlw-hdp6q-submariner-gateway became leader
2026-02-17T08:01:38.570Z ERR ..er/broker/syncer.go:352 BrokerSyncer         Error accessing the broker API server error="secrets \"any\" is forbidden: User \"system:serviceaccount:clusterset-submariner-4492b8428fc34f7cbc-broker:dr-bm3c1\" cannot get resource \"secrets\" in API group \"\" in the namespace \"clusterset-submariner-4492b8428fc34f7cbc-broker\""
I0217 08:01:38.573838       1 reflector.go:436] "Caches populated" type="/v1, Kind=Secret" reflector="pkg/mod/k8s.io/client-go@v0.34.1/tools/cache/reflector.go:290"
I0217 08:01:38.674979       1 reflector.go:436] "Caches populated" type="/v1, Kind=Secret" reflector="pkg/mod/k8s.io/client-go@v0.34.1/tools/cache/reflector.go:290"
E0217 08:01:38.702157       1 reflector.go:205] "Failed to watch" err="failed to list /v1, Kind=Secret: secrets is forbidden: User \"system:serviceaccount:clusterset-submariner-4492b8428fc34f7cbc-broker:dr-bm3c1\" cannot list resource \"secrets\" in API group \"\" in the namespace \"clusterset-submariner-4492b8428fc34f7cbc-broker\"" logger="UnhandledError" reflector="pkg/mod/k8s.io/client-go@v0.34.1/tools/cache/reflector.go:290" type="/v1, Kind=Secret"
2026-02-17T08:01:38.772Z INF ..igning_requestor.go:355 Certificate          Started certificate renewal monitoring with interval 12h0m0s
2026-02-17T08:01:38.772Z INF ..reswan/libreswan.go:184 libreswan            Using NATT UDP port 4500 with authentication mode: psk
2026-02-17T08:01:38.772Z INF ..reswan/libreswan.go:208 libreswan            Initializing libreswan driver with authentication mode: psk
2026-02-17T08:01:38.772Z INF ..reswan/libreswan.go:211 libreswan            Setting up PSK authentication
2026-02-17T08:01:38.772Z INF ..gine/cableengine.go:114 CableEngine          CableEngine started with driver "libreswan"
2026-02-17T08:01:38.772Z INF ..public_ip_watcher.go:58 Endpoint             Starting the public IP watcher.
2026-02-17T08:01:38.772Z INF ../gateway/gateway.go:366 Gateway              Updating Gateway pod HA status to "active"
2026-02-17T08:01:38.772Z INF ..r/datastoresyncer.go:72 DSSyncer             Starting the datastore syncer
2026-02-17T08:01:38.772Z INF ..ers/tunnel/tunnel.go:51 Tunnel               Starting the tunnel controller
I0217 08:01:38.786021       1 reflector.go:436] "Caches populated" type="submariner.io/v1, Kind=Endpoint" reflector="pkg/mod/k8s.io/client-go@v0.34.1/tools/cache/reflector.go:290"
I0217 08:01:38.786021       1 reflector.go:436] "Caches populated" type="submariner.io/v1, Kind=Endpoint" reflector="pkg/mod/k8s.io/client-go@v0.34.1/tools/cache/reflector.go:290"
2026-02-17T08:01:38.796Z INF ../gateway/gateway.go:387 Gateway              Successfully updated Gateway pod HA status to "active"
I0217 08:01:38.874567       1 reflector.go:436] "Caches populated" type="submariner.io/v1, Kind=Cluster" reflector="pkg/mod/k8s.io/client-go@v0.34.1/tools/cache/reflector.go:290"
2026-02-17T08:01:38.885Z INF ..ker/healthchecker.go:97 HealthChecker        CableEngine HealthChecker started with SupportedIPFamilies: ["4"], PingInterval: 1, MaxPacketLossCount: 5
I0217 08:01:38.974979       1 reflector.go:436] "Caches populated" type="submariner.io/v1, Kind=Endpoint" reflector="pkg/mod/k8s.io/client-go@v0.34.1/tools/cache/reflector.go:290"
I0217 08:01:39.003588       1 reflector.go:436] "Caches populated" type="submariner.io/v1, Kind=Cluster" reflector="pkg/mod/k8s.io/client-go@v0.34.1/tools/cache/reflector.go:290"
2026-02-17T08:01:39.073Z INF ../datastoresyncer.go:216 DSSyncer             Ensuring we are the only endpoint active for this cluster
2026-02-17T08:01:39.074Z INF ../datastoresyncer.go:276 DSSyncer             Creating local submariner Cluster: {
  "id": "dr-bm3c1",
  "spec": {
    "cluster_id": "dr-bm3c1",
    "color_codes": [
      "blue"
    ],
    "service_cidr": [
      "172.31.0.0/16"
    ],
    "cluster_cidr": [
      "10.132.0.0/14"
    ],
    "global_cidr": [
      "242.1.0.0/16"
    ]
  }
}
2026-02-17T08:01:39.083Z INF .._update_federator.go:87 Federator            BrokerSyncer:broker -> local: Created Cluster "submariner-operator/dr-bm3c1"
2026-02-17T08:01:39.083Z INF ../datastoresyncer.go:289 DSSyncer             Creating local submariner Endpoint: {
  "metadata": {
    "name": "dr-bm3c1-submariner-cable-dr-bm3c1-10-131-1-1"
  },
  "spec": {
    "cluster_id": "dr-bm3c1",
    "cable_name": "submariner-cable-dr-bm3c1-10-131-1-1",
    "hostname": "bm3c1-ptwlw-hdp6q",
    "subnets": [
      "242.1.0.0/16"
    ],
    "private_ip": "10.131.1.1",
    "privateIPs": [
      "10.131.1.1"
    ],
    "public_ip": "52.118.43.177",
    "publicIPs": [
      "52.118.43.177"
    ],
    "nat_enabled": false,
    "backend": "libreswan",
    "backend_config": {
      "natt-discovery-port": "4490",
      "preferred-server": "true",
      "preferred-server-timestamp": "1771315298",
      "udp-port": "4500",
      "using-loadbalancer": "true"
    }
  }
}
I0217 08:01:39.093031       1 reflector.go:436] "Caches populated" type="submariner.io/v1, Kind=Gateway" reflector="pkg/mod/k8s.io/client-go@v0.34.1/tools/cache/reflector.go:290"
I0217 08:01:39.103715       1 reflector.go:436] "Caches populated" type="submariner.io/v1, Kind=Endpoint" reflector="pkg/mod/k8s.io/client-go@v0.34.1/tools/cache/reflector.go:290"
2026-02-17T08:01:39.153Z INF .._update_federator.go:87 Federator            BrokerSyncer:local -> broker: Created Cluster "clusterset-submariner-4492b8428fc34f7cbc-broker/dr-bm3c1"
2026-02-17T08:01:39.161Z INF .._update_federator.go:87 Federator            BrokerSyncer:local -> broker: Created Endpoint "clusterset-submariner-4492b8428fc34f7cbc-broker/dr-bm3c1-submariner-cable-dr-bm3c1-10-131-1-1"
2026-02-17T08:01:39.191Z INF ../datastoresyncer.go:102 DSSyncer             Datastore syncer started
E0217 08:01:40.110555       1 reflector.go:205] "Failed to watch" err="failed to list /v1, Kind=Secret: secrets is forbidden: User \"system:serviceaccount:clusterset-submariner-4492b8428fc34f7cbc-broker:dr-bm3c1\" cannot list resource \"secrets\" in API group \"\" in the namespace \"clusterset-submariner-4492b8428fc34f7cbc-broker\"" logger="UnhandledError" reflector="pkg/mod/k8s.io/client-go@v0.34.1/tools/cache/reflector.go:290" type="/v1, Kind=Secret"
2026-02-17T08:01:42.102Z INF ..r/gateway_handler.go:58 DSSyncer             Global IP for node "bm3c1-ptwlw-hdp6q" changed from "" to "242.1.255.254"
2026-02-17T08:01:42.104Z INF ..r/gateway_handler.go:67 DSSyncer             Updating the endpoint HealthCheckIP to globalIP "242.1.255.254"
2026-02-17T08:01:42.188Z INF .._update_federator.go:90 Federator            BrokerSyncer:local -> broker: Updated Endpoint "clusterset-submariner-4492b8428fc34f7cbc-broker/dr-bm3c1-submariner-cable-dr-bm3c1-10-131-1-1"
E0217 08:01:42.323653       1 reflector.go:205] "Failed to watch" err="failed to list /v1, Kind=Secret: secrets is forbidden: User \"system:serviceaccount:clusterset-submariner-4492b8428fc34f7cbc-broker:dr-bm3c1\" cannot list resource \"secrets\" in API group \"\" in the namespace \"clusterset-submariner-4492b8428fc34f7cbc-broker\"" logger="UnhandledError" reflector="pkg/mod/k8s.io/client-go@v0.34.1/tools/cache/reflector.go:290" type="/v1, Kind=Secret"
E0217 08:01:46.083305       1 reflector.go:205] "Failed to watch" err="failed to list /v1, Kind=Secret: secrets is forbidden: User \"system:serviceaccount:clusterset-submariner-4492b8428fc34f7cbc-broker:dr-bm3c1\" cannot list resource \"secrets\" in API group \"\" in the namespace \"clusterset-submariner-4492b8428fc34f7cbc-broker\"" logger="UnhandledError" reflector="pkg/mod/k8s.io/client-go@v0.34.1/tools/cache/reflector.go:290" type="/v1, Kind=Secret"
2026-02-17T08:01:51.337Z INF .._update_federator.go:87 Federator            BrokerSyncer:broker -> local: Created Cluster "submariner-operator/dr-bm5c1"
2026-02-17T08:01:51.356Z INF .._update_federator.go:87 Federator            BrokerSyncer:broker -> local: Created Endpoint "submariner-operator/dr-bm5c1-submariner-cable-dr-bm5c1-10-129-1-237"
2026-02-17T08:01:51.358Z INF ..ery/natdiscovery.go:146 NAT                  Starting NAT discovery for endpoint "submariner-cable-dr-bm5c1-10-129-1-237"
2026-02-17T08:01:51.359Z INF ..pinger/controller.go:69 Pinger               IPv4 HealthCheckIP for Endpoint "submariner-cable-dr-bm5c1-10-129-1-237" is empty - will not monitor endpoint health
2026-02-17T08:01:52.339Z DBG ..ery/request_send.go:117 NAT                  Sending request - REQUEST_NUMBER: 0x7348973b6ce25c25, SENDER: "submariner-cable-dr-bm3c1-10-131-1-1-v4", RECEIVER: "submariner-cable-dr-bm5c1-10-129-1-237-v4", USING_SRC: 10.131.1.1:4490, USING_DST: 10.129.1.237:4490
2026-02-17T08:01:52.339Z DBG ..ery/request_send.go:117 NAT                  Sending request - REQUEST_NUMBER: 0x7348973b6ce25c26, SENDER: "submariner-cable-dr-bm3c1-10-131-1-1-v4", RECEIVER: "submariner-cable-dr-bm5c1-10-129-1-237-v4", USING_SRC: 10.131.1.1:4490, USING_DST: 150.238.22.177:4490
2026-02-17T08:01:54.341Z DBG ..ery/request_send.go:117 NAT                  Sending request - REQUEST_NUMBER: 0x7348973b6ce25c27, SENDER: "submariner-cable-dr-bm3c1-10-131-1-1-v4", RECEIVER: "submariner-cable-dr-bm5c1-10-129-1-237-v4", USING_SRC: 10.131.1.1:4490, USING_DST: 10.129.1.237:4490
2026-02-17T08:01:54.341Z DBG ..ery/request_send.go:117 NAT                  Sending request - REQUEST_NUMBER: 0x7348973b6ce25c28, SENDER: "submariner-cable-dr-bm3c1-10-131-1-1-v4", RECEIVER: "submariner-cable-dr-bm5c1-10-129-1-237-v4", USING_SRC: 10.131.1.1:4490, USING_DST: 150.238.22.177:4490
2026-02-17T08:01:56.157Z INF ..kg/pinger/pinger.go:125 Pinger               Starting pinger for IP "242.0.255.254"
2026-02-17T08:01:56.157Z INF ..inger/controller.go:107 Pinger               HealthChecker started pinger for CableName: "submariner-cable-dr-bm5c1-10-129-1-237-v4" with HealthCheckIP "242.0.255.254"
2026-02-17T08:01:56.157Z INF .._update_federator.go:90 Federator            BrokerSyncer:broker -> local: Updated Endpoint "submariner-operator/dr-bm5c1-submariner-cable-dr-bm5c1-10-129-1-237"
2026-02-17T08:01:56.159Z INF ..ery/natdiscovery.go:146 NAT                  Starting NAT discovery for endpoint "submariner-cable-dr-bm5c1-10-129-1-237"
2026-02-17T08:01:56.159Z DBG ..ery/natdiscovery.go:166 NAT                  NAT discovery updated endpoint IPv4 "submariner-cable-dr-bm5c1-10-129-1-237"
2026-02-17T08:01:56.344Z DBG ..ery/request_send.go:117 NAT                  Sending request - REQUEST_NUMBER: 0x7348973b6ce25c29, SENDER: "submariner-cable-dr-bm3c1-10-131-1-1-v4", RECEIVER: "submariner-cable-dr-bm5c1-10-129-1-237-v4", USING_SRC: 10.131.1.1:4490, USING_DST: 10.129.1.237:4490
2026-02-17T08:01:56.344Z DBG ..ery/request_send.go:117 NAT                  Sending request - REQUEST_NUMBER: 0x7348973b6ce25c2a, SENDER: "submariner-cable-dr-bm3c1-10-131-1-1-v4", RECEIVER: "submariner-cable-dr-bm5c1-10-129-1-237-v4", USING_SRC: 10.131.1.1:4490, USING_DST: 150.238.22.177:4490
2026-02-17T08:01:58.345Z DBG ..ery/request_send.go:117 NAT                  Sending request - REQUEST_NUMBER: 0x7348973b6ce25c2b, SENDER: "submariner-cable-dr-bm3c1-10-131-1-1-v4", RECEIVER: "submariner-cable-dr-bm5c1-10-129-1-237-v4", USING_SRC: 10.131.1.1:4490, USING_DST: 10.129.1.237:4490
2026-02-17T08:01:58.345Z DBG ..ery/request_send.go:117 NAT                  Sending request - REQUEST_NUMBER: 0x7348973b6ce25c2c, SENDER: "submariner-cable-dr-bm3c1-10-131-1-1-v4", RECEIVER: "submariner-cable-dr-bm5c1-10-129-1-237-v4", USING_SRC: 10.131.1.1:4490, USING_DST: 150.238.22.177:4490
E0217 08:01:58.693523       1 reflector.go:205] "Failed to watch" err="failed to list /v1, Kind=Secret: secrets is forbidden: User \"system:serviceaccount:clusterset-submariner-4492b8428fc34f7cbc-broker:dr-bm3c1\" cannot list resource \"secrets\" in API group \"\" in the namespace \"clusterset-submariner-4492b8428fc34f7cbc-broker\"" logger="UnhandledError" reflector="pkg/mod/k8s.io/client-go@v0.34.1/tools/cache/reflector.go:290" type="/v1, Kind=Secret"
2026-02-17T08:02:00.346Z DBG ..ery/request_send.go:117 NAT                  Sending request - REQUEST_NUMBER: 0x7348973b6ce25c2d, SENDER: "submariner-cable-dr-bm3c1-10-131-1-1-v4", RECEIVER: "submariner-cable-dr-bm5c1-10-129-1-237-v4", USING_SRC: 10.131.1.1:4490, USING_DST: 10.129.1.237:4490
2026-02-17T08:02:00.346Z DBG ..ery/request_send.go:117 NAT                  Sending request - REQUEST_NUMBER: 0x7348973b6ce25c2e, SENDER: "submariner-cable-dr-bm3c1-10-131-1-1-v4", RECEIVER: "submariner-cable-dr-bm5c1-10-129-1-237-v4", USING_SRC: 10.131.1.1:4490, USING_DST: 150.238.22.177:4490
2026-02-17T08:02:02.158Z ERR ..kg/pinger/pinger.go:180 Pinger               Failed to successfully ping the remote endpoint IP "242.0.255.254" error="more than 5 packets lost"
2026-02-17T08:02:02.348Z WRN ..ery/natdiscovery.go:189 NAT                  NAT discovery for endpoint "submariner-cable-dr-bm5c1-10-129-1-237-v4" has timed out
2026-02-17T08:02:02.348Z DBG ../remote_endpoint.go:121 NAT                  using NAT for the load balancer backed endpoint "submariner-cable-dr-bm5c1-10-129-1-237-v4", using public IP "150.238.22.177"
2026-02-17T08:02:02.348Z INF ..gine/cableengine.go:234 CableEngine          Installing IPv4 Endpoint cable "submariner-cable-dr-bm5c1-10-129-1-237"
2026-02-17T08:02:02.348Z INF ..reswan/libreswan.go:419 libreswan            Creating IPv4 connection(s) for v1.Endpoint{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ObjectMeta:v1.ObjectMeta{Name:"dr-bm5c1-submariner-cable-dr-bm5c1-10-129-1-237", GenerateName:"", Namespace:"submariner-operator", SelfLink:"", UID:"58908aec-8abd-407a-b5a3-be1fce010cc4", ResourceVersion:"2600253", Generation:2, CreationTimestamp:time.Date(2026, time.February, 17, 8, 1, 51, 0, time.Local), DeletionTimestamp:<nil>, DeletionGracePeriodSeconds:(*int64)(nil), Labels:map[string]string{"submariner-io/clusterID":"dr-bm5c1"}, Annotations:map[string]string(nil), OwnerReferences:[]v1.OwnerReference(nil), Finalizers:[]string(nil), ManagedFields:[]v1.ManagedFieldsEntry(nil)}, Spec:v1.EndpointSpec{ClusterID:"dr-bm5c1", CableName:"submariner-cable-dr-bm5c1-10-129-1-237", HealthCheckIP:"242.0.255.254", HealthCheckIPs:[]string{"242.0.255.254"}, Hostname:"bm5c1-zl2j8-br59b", Subnets:[]string{"242.0.0.0/16"}, PrivateIP:"10.129.1.237", PrivateIPs:[]string{"10.129.1.237"}, PublicIP:"150.238.22.177", PublicIPs:[]string{"150.238.22.177"}, NATEnabled:false, Backend:"libreswan", BackendConfig:map[string]string{"natt-discovery-port":"4490", "preferred-server":"true", "preferred-server-timestamp":"1771315310", "udp-port":"4500", "using-loadbalancer":"true"}}} with "psk" authentication
2026-02-17T08:02:02.348Z INF ..reswan/libreswan.go:683 libreswan            Starting Pluto
Initializing NSS database/usr/sbin/ipsec: line 171: iptables: command not found
nflog ipsec capture disabled
002 listening for IKE messages
002 forgetting secrets
002 loading secrets from "/etc/ipsec.secrets"
002 loading secrets from "/etc/ipsec.d/submariner.secrets"
2026-02-17T08:02:02.557Z INF ..reswan/libreswan.go:605 libreswan            clientConnectToEndpoint: executing whack with args: [--psk --encrypt --encapsulation=yes --name submariner-cable-dr-bm5c1-10-129-1-237-v4-0-0 --ipv4 --id @10.131.1.1-0-0 --host 10.131.1.1 --client 242.1.0.0/16 --to --id @10.129.1.237-0-0 --host 150.238.22.177 --client 242.0.0.0/16 --ikeport 4500 --dpdaction=hold --dpddelay 30]
/usr/libexec/ipsec/whack: unrecognized option '--encapsulation=yes'
2026-02-17T08:02:02.562Z WRN ..reswan/libreswan.go:409 libreswan            error exit status 33 whacking with args: [--psk --encrypt --encapsulation=yes --name submariner-cable-dr-bm5c1-10-129-1-237-v4-0-0 --ipv4 --id @10.131.1.1-0-0 --host 10.131.1.1 --client 242.1.0.0/16 --to --id @10.129.1.237-0-0 --host 150.238.22.177 --client 242.0.0.0/16 --ikeport 4500 --dpdaction=hold --dpddelay 30]
/usr/libexec/ipsec/whack: unrecognized option '--encapsulation=yes'
2026-02-17T08:02:03.568Z WRN ..reswan/libreswan.go:409 libreswan            error exit status 33 whacking with args: [--psk --encrypt --encapsulation=yes --name submariner-cable-dr-bm5c1-10-129-1-237-v4-0-0 --ipv4 --id @10.131.1.1-0-0 --host 10.131.1.1 --client 242.1.0.0/16 --to --id @10.129.1.237-0-0 --host 150.238.22.177 --client 242.0.0.0/16 --ikeport 4500 --dpdaction=hold --dpddelay 30]
/usr/libexec/ipsec/whack: unrecognized option '--encapsulation=yes'
2026-02-17T08:02:04.575Z WRN ..reswan/libreswan.go:409 libreswan            error exit status 33 whacking with args: [--psk --encrypt --encapsulation=yes --name submariner-cable-dr-bm5c1-10-129-1-237-v4-0-0 --ipv4 --id @10.131.1.1-0-0 --host 10.131.1.1 --client 242.1.0.0/16 --to --id @10.129.1.237-0-0 --host 150.238.22.177 --client 242.0.0.0/16 --ikeport 4500 --dpdaction=hold --dpddelay 30]
2026-02-17T08:02:05.575Z ERR ..gine/cableengine.go:150 CableEngine          Error installing cable for &natdiscovery.NATEndpointInfo{Endpoint:v1.Endpoint{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ObjectMeta:v1.ObjectMeta{Name:"dr-bm5c1-submariner-cable-dr-bm5c1-10-129-1-237", GenerateName:"", Namespace:"submariner-operator", SelfLink:"", UID:"58908aec-8abd-407a-b5a3-be1fce010cc4", ResourceVersion:"2600253", Generation:2, CreationTimestamp:time.Date(2026, time.February, 17, 8, 1, 51, 0, time.Local), DeletionTimestamp:<nil>, DeletionGracePeriodSeconds:(*int64)(nil), Labels:map[string]string{"submariner-io/clusterID":"dr-bm5c1"}, Annotations:map[string]string(nil), OwnerReferences:[]v1.OwnerReference(nil), Finalizers:[]string(nil), ManagedFields:[]v1.ManagedFieldsEntry(nil)}, Spec:v1.EndpointSpec{ClusterID:"dr-bm5c1", CableName:"submariner-cable-dr-bm5c1-10-129-1-237", HealthCheckIP:"242.0.255.254", HealthCheckIPs:[]string{"242.0.255.254"}, Hostname:"bm5c1-zl2j8-br59b", Subnets:[]string{"242.0.0.0/16"}, PrivateIP:"10.129.1.237", PrivateIPs:[]string{"10.129.1.237"}, PublicIP:"150.238.22.177", PublicIPs:[]string{"150.238.22.177"}, NATEnabled:false, Backend:"libreswan", BackendConfig:map[string]string{"natt-discovery-port":"4490", "preferred-server":"true", "preferred-server-timestamp":"1771315310", "udp-port":"4500", "using-loadbalancer":"true"}}}, UseNAT:true, UseIP:"150.238.22.177", UseFamily:"4"} error="error installing IPv4 Endpoint cable \"submariner-cable-dr-bm5c1-10-129-1-237\": error whacking with args [--psk --encrypt --encapsulation=yes --name submariner-cable-dr-bm5c1-10-129-1-237-v4-0-0 --ipv4 --id @10.131.1.1-0-0 --host 10.131.1.1 --client 242.1.0.0/16 --to --id @10.129.1.237-0-0 --host 150.238.22.177 --client 242.0.0.0/16 --ikeport 4500 --dpdaction=hold --dpddelay 30]: exit status 33"
2026-02-17T08:02:08.787Z INF ..ery/natdiscovery.go:146 NAT                  Starting NAT discovery for endpoint "submariner-cable-dr-bm5c1-10-129-1-237"
2026-02-17T08:02:08.788Z INF ..gine/cableengine.go:234 CableEngine          Installing IPv4 Endpoint cable "submariner-cable-dr-bm5c1-10-129-1-237"
2026-02-17T08:02:08.788Z INF ..reswan/libreswan.go:419 libreswan            Creating IPv4 connection(s) for v1.Endpoint{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ObjectMeta:v1.ObjectMeta{Name:"dr-bm5c1-submariner-cable-dr-bm5c1-10-129-1-237", GenerateName:"", Namespace:"submariner-operator", SelfLink:"", UID:"58908aec-8abd-407a-b5a3-be1fce010cc4", ResourceVersion:"2600253", Generation:2, CreationTimestamp:time.Date(2026, time.February, 17, 8, 1, 51, 0, time.Local), DeletionTimestamp:<nil>, DeletionGracePeriodSeconds:(*int64)(nil), Labels:map[string]string{"submariner-io/clusterID":"dr-bm5c1"}, Annotations:map[string]string(nil), OwnerReferences:[]v1.OwnerReference(nil), Finalizers:[]string(nil), ManagedFields:[]v1.ManagedFieldsEntry(nil)}, Spec:v1.EndpointSpec{ClusterID:"dr-bm5c1", CableName:"submariner-cable-dr-bm5c1-10-129-1-237", HealthCheckIP:"242.0.255.254", HealthCheckIPs:[]string{"242.0.255.254"}, Hostname:"bm5c1-zl2j8-br59b", Subnets:[]string{"242.0.0.0/16"}, PrivateIP:"10.129.1.237", PrivateIPs:[]string{"10.129.1.237"}, PublicIP:"150.238.22.177", PublicIPs:[]string{"150.238.22.177"}, NATEnabled:false, Backend:"libreswan", BackendConfig:map[string]string{"natt-discovery-port":"4490", "preferred-server":"true", "preferred-server-timestamp":"1771315310", "udp-port":"4500", "using-loadbalancer":"true"}}} with "psk" authentication
002 listening for IKE messages
002 forgetting secrets
002 loading secrets from "/etc/ipsec.secrets"
002 loading secrets from "/etc/ipsec.d/submariner.secrets"

       

      Expected results:

      connection should be green

      Additional info:

       

        1. Screenshot 2026-02-17 at 1.12.16 PM.png
          Screenshot 2026-02-17 at 1.12.16 PM.png
          194 kB

              yboaron Yossi Boaron
              prsurve@redhat.com Pratik Surve
              Prachi Yadav Prachi Yadav
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: