Closed rencarlo014 closed 3 months ago
Hello,
From the log you've provided I can see the following lines
Aug 16 07:48:28 RPKIPROVER002 rpki-prover[1073969]: Info [pid 1073969] 2024-08-15 23:48:26.460Z Validated all TAs, got 601894 VRPs
...
Aug 16 08:02:18 RPKIPROVER002 rpki-prover[1073969]: Info [pid 1073969] 2024-08-16 00:02:18.205Z Validated all TAs, got 303833 VRPs
...
Aug 16 08:18:47 RPKIPROVER002 rpki-prover[1073969]: Info [pid 1073969] 2024-08-16 00:18:46.298Z Validated all TAs, got 601894 VRPs
303833 is a very low number compared to normal 600K and that is what seem have caused the loss of VRPs in the router.
If I dig more I see two lines
Aug 16 08:01:21 RPKIPROVER002 rpki-prover[1073969]: Info [pid 1670666] 2024-08-16 00:01:21.049Z Validated TA 'ripe', got 0 VRPs, took 25034ms
...
Aug 16 08:01:21 RPKIPROVER002 rpki-prover[1073969]: Info [pid 1670666] 2024-08-16 00:01:21.059Z Validated TA 'lacnic', got 0 VRPs, took 25044ms
Which means at least 2 trust anchor (TAs) out of 5 didn't return any VRPs. Looking further shows earlier lines
Aug 16 08:01:01 RPKIPROVER002 rpki-prover[1073969]: Error [pid 1670666] 2024-08-16 00:01:01.023Z Failed to fetch https://rpki.afrinic.net/repository/AfriNIC.c>
Aug 16 08:01:01 RPKIPROVER002 rpki-prover[1073969]: Error [pid 1670666] 2024-08-16 00:01:01.027Z Failed to fetch https://rpki.ripe.net/ta/ripe-ncc-ta.cer: Rrd>
Aug 16 08:01:01 RPKIPROVER002 rpki-prover[1073969]: Error [pid 1670666] 2024-08-16 00:01:01.028Z Failed to fetch https://rrdp.lacnic.net/ta/rta-lacnic-rpki.ce>
That mean trust anchor certificates for AfriNIC, LACNIC and RIPE couldn't be fetched at that iteration. So apparently there was some temporary loss of connectivity, resulting in loss of TA certificates, in turn, resulting in loss of ROAs.
Strictly speaking, an RPKI validator should verify TA certificates every iteration, but from the practical point of view it looks quite problematic like it happened in your case. I will fix this behaviour in the next release, by allowing some kind of TA certificate local caching.
The release https://github.com/lolepezy/rpki-prover/releases/tag/v0.9.6
fixes the issue with TA certificate caching, so the issue shouldn't not appear even in case of intermittent connectivity loss. I'll close the issue as resolved.
Hello, @lolepezy and everyone. Good day!
I would like to seek for your assistance regarding on the behavior I am encountering on Cisco IOS-XR router using the RPKI Prover. While checking, I've observed that ROAs are being withdrawn. Lots of ROAs. As we are using RPKI state as best path for BGP, the traffic is being rerouted to less preferred paths. You may refer below for the details and necessary configurations from RPKI Prover and Cisco IOS-XR.
Cisco IOS-XR Router:
RPKI Prover:
Also, attached herewith is the output of
journalctl -u rpki-prover.service --since "2024-08-16 07:00:00"
: 08162024_Output of Journalctl for RPKIPROVER002.txtThanks, Ren