Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: None
Affects Version/s: ACM 2.14.2
Component/s: Multicluster Networking
Labels:
- validated-pattern

Activity Type:
Incidents & Support
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Intelligence Requested:
Market:

Regression:
None

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

PX Impact Score:

Description of problem:

Using ManagedClusterAddon feature in RHACM 2.14.2 on OCP 4.20 on AWS, submariner fails to come up. The submariner gateway pod shows this error:

```

26-02-27T20:08:43.695Z ERR ..gine/cableengine.go:150 CableEngine Error installing cable for &natdiscovery.NATEndpointInfo{Endpoint:v1.Endpoint{TypeMeta:v1.TypeMeta

{Kind:"", APIVersion:""}

, ObjectMeta:v1.ObjectMeta{Name:"ocp-primary-submariner-cable-ocp-primary-10-1-172-239", GenerateName:"", Namespace:"submariner-operator", SelfLink:"", UID:"6f36d21a-5ffb-4cc2-9b8c-e094fda082f5", ResourceVersion:"104003", Generation:1, CreationTimestamp:time.Date(2026, time.February, 27, 19, 17, 11, 0, time.Local), DeletionTimestamp:<nil>, DeletionGracePeriodSeconds*int64)(nil), Labels:map[string]string

{"submariner-io/clusterID":"ocp-primary"}

, Annotations:map[string]string(nil), OwnerReferences:[]v1.OwnerReference(nil), Finalizers:[]string(nil), ManagedFields:[]v1.ManagedFieldsEntry(nil)}, Spec:v1.EndpointSpec{ClusterID:"ocp-primary", CableName:"submariner-cable-ocp-primary-10-1-172-239", HealthCheckIP:"10.134.2.2", HealthCheckIPs:[]string

{"10.134.2.2"}

, Hostname:"ip-10-1-172-239", Subnets:[]string{"172.20.0.0/16", "10.132.0.0/14"}, PrivateIP:"10.1.172.239", PrivateIPs:[]string{"10.1.172.239"}, PublicIP:"54.215.210.139", PublicIPs:[]string{"54.215.210.139"}, NATEnabled:true, Backend:"libreswan", BackendConfig:map[string]string{"natt-discovery-port":"4490", "preferred-server":"false", "udp-port":"4500"}}}, UseNAT:true, UseIP:"54.215.210.139", UseFamily:"4"} error="error installing IPv4 Endpoint cable \"submariner-cable-ocp-primary-10-1-172-239\": error whacking with args [--psk --encrypt --encapsulation=yes --name submariner-cable-ocp-primary-10-1-172-239-v4-0-0 --ipv4 --id 10.2.162.69 --host 10.2.162.69 --client 172.21.0.0/16 --ikeport 4500 --to --id 10.1.172.239 --host 54.215.210.139 --client 172.20.0.0/16 --ikeport 4500 --dpdaction=hold --dpddelay 30]: exit status 33" E0227 20:08:49.413799 1 reflector.go:205] "Failed to watch" err="failed to list /v1, Kind=Secret: secrets is forbidden: User \"system:serviceaccount:resilient-broker:ocp-420-2\" cannot list resource \"secrets\" in API group \"\" in the namespace \"resilient-broker\"" logger="UnhandledError" reflector="pkg/mod/k8s.io/client-go@v0.34.1/tools/cache/reflector.go:290" type="/v1, Kind=Secret"

```

Version-Release number of selected component (if applicable):

OCP 4.20/RHACM 2.14.2

How reproducible: 100%

Steps to Reproduce:

Install OCP 4.20 cluster on AWS (I have seen it with 4.20.6 and 4.20.14)
Install submariner via Add-Ons

Actual results: Submariner gateways never establish connection

Expected results: Submariner gateways come up

Additional info:

clones

ACM-30321 "subctl cloud prepare aws" creates machine that will not be provisioned as node

In Progress

Assignee:: Aswin Suryanarayanan

Reporter:: Martin Jackson

QA Contact:: Prachi Yadav

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2026/03/05 3:42 PM

Updated:: 2026/03/10 5:13 PM

Details

Description

Description of problem:

How reproducible: 100%

Steps to Reproduce:

Actual results: Submariner gateways never establish connection

Expected results: Submariner gateways come up

Additional info:

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates