Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 4.17.z
Affects Version/s: 4.16
Component/s: Networking / ovn-kubernetes
Labels:
- QE:Reproduced
- SDN:Platform:SDN

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Critical
Regression:
None

Target Backport Versions:
None
Target Version:

4.17.z
Release Blocker:
None
Sprint:
None

Customer Impact:

Customer Escalated, Customer Facing

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Review Complete:
PX Impact Score:

Release Note Status:
In Progress
Release Note Type:
Release Note Not Required
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:
Accessing any OpenShift route is not working when the client port 22623 or 22624 is used. As a customer it's not possible to control which client port is used.

Version-Release number of selected component (if applicable):
OCP 4.16

How reproducible:
100%

Steps to Reproduce:
1. Prepare a 4.16 cluster.
2. Launch any web app pod (nginx, httpd, etc.).
3. Access the URL using curl --local-port option to specify 22623 or 22624.

Actual results:
No response is returned from the exposed application when the client port is 22623 or 22624. Accessing the openshift webconsole ends in a timeout:

$ time curl -vvv -m10 --retry 0 -k --local-port 22624-22624 https://console-openshift-console.apps.anowak.sandbox230.opentlc.com/ ; ss -tpn | grep curl
* Host console-openshift-console.apps.anowak.sandbox230.opentlc.com:443 was resolved.
* IPv6: (none)
* IPv4: 35.158.196.125, 52.58.253.75
*   Trying 35.158.196.125:443...
* Local port: 22624
* ipv4 connect timeout after 4999ms, move on!
*   Trying 52.58.253.75:443...
* Local port: 22624
* Connection timed out after 10002 milliseconds
* closing connection #0
curl: (28) Connection timed out after 10002 milliseconds

real	0m10.012s
user	0m0.004s
sys	0m0.007s

Connection is stale in SYN-SENT:

SYN-SENT   0	  1	 192.168.68.67:22624  35.158.196.125:443  users:(("curl",pid=694815,fd=5))

Expected results:
A response is returned regardless of the client port.

Additional info:
There was already a similar issue reported in ~~OCPBUGS-37541~~, the iptables rules on the nodes should be more selective that external traffic is not blocked:

Chain OPENSHIFT-BLOCK-OUTPUT (2 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere             tcp dpt:22623 flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp dpt:22624 flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable

clones

OCPBUGS-54457 openshift-sdn: No response from openshift router / Ingress when client port is 22623 or 22624

Closed

is depended on by

OCPBUGS-54457 openshift-sdn: No response from openshift router / Ingress when client port is 22623 or 22624

Closed

Assignee:: sdn-team bot

Reporter:: Andreas Nowak

Need Info From:: None

Contributors:: None

QA Contact:: Huiran Wang

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2025/06/19 4:27 AM

Updated:: 2025/09/12 9:13 PM

Resolved:: 2025/06/19 4:31 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates