You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org

Incidents/2022-02-01 ulsfo network: Difference between revisions

From Wikitech-static
Jump to navigation Jump to search
imported>Krinkle
 
imported>Jcrespo
(fixing date & scorecard)
 
(2 intermediate revisions by 2 users not shown)
Line 6: Line 6:
==Summary==
==Summary==
{{Incident scorecard
{{Incident scorecard
| task =  
| task = No task
| paged-num =  
| paged-num = 20+
| responders-num = 1
| responders-num = 6+
| coordinators =  
| coordinators = 0
| start = 2022-02-01 16:05
| start = 2022-01-31 16:05
| end = 2022-02-01 16:08
| end = 2022-01-31 16:08
| impact = For 3 minutes, clients served by the ulsfo POP were not able to contribute or display un-cached pages. 8000 errors per minute (HTTP 5xx).
| impact = For 3 minutes, clients served by the ulsfo POP were not able to contribute or display un-cached pages. 8000 errors per minute (HTTP 5xx).
| summary = A firewall change was pushed to ulsfo routers, which caused [[ulsfo]] to lose connectivity to the other POPs and core sites for 3min.
}}
}}
A firewall change was pushed to ulsfo routers, which caused [[ulsfo]] to lose connectivity to the other POPs and core sites for 3min.


== Timeline ==
== Timeline ==
Line 70: Line 71:
= Scorecard =
= Scorecard =
{| class="wikitable"
{| class="wikitable"
| colspan="2" |'''Incident Engagement™  ScoreCard'''
!
|'''Score'''
!Question
!Score
!Notes
|-
|-
| rowspan="5" | '''People'''
! rowspan="5" |People
|Were the people responding to this incident sufficiently different than the previous N incidents? (0/5pt)
|Were the people responding to this incident sufficiently different than the previous five incidents? (score 1 for yes, 0 for no)
|N/A
|0
|
|-
|-
|Were the people who responded prepared enough to respond effectively (0/5pt)
| Were the people who responded prepared enough to respond effectively (score 1 for yes, 0 for no)
|5
|1
|
|-
|-
|Did fewer than 5 people get paged (0/5pt)?
|Were more than 5 people paged? (score 0 for yes, 1 for no)
|1
|
|
|-
|-
|Were pages routed to the correct sub-team(s)?
|Were pages routed to the correct sub-team(s)? (score 1 for yes, 0 for no)
|1
|1
|
|-
|-
|Were pages routed to online (working hours) engineers (0/5pt)? (score 0 if people were paged after-hours)
|Were pages routed to online (business hours) engineers? (score 1 for yes,  0 if people were paged after business hours)  
|1
|
|
|-
|-
| rowspan="6" |'''Process'''
! rowspan="5" | Process
|Was the incident status section actively updated during the incident? (0/1pt)
|Was the incident status section actively updated during the incident? (score 1 for yes, 0 for no)  
|N/A
|0
|
|-
|-
| If this was a major outage noticed by the community, was the public status page updated? If the issue was internal, was the rest of the organization updated with relevant incident statuses? (0/1pt)
|Was the public status page updated? (score 1 for yes, 0 for no)
|N/A
|0
|
|-
|-
| Is there a phabricator task for the incident? (0/1pt)
|Is there a phabricator task for the incident? (score 1 for yes, 0 for no)
|N/A
|0
|
|-
|-
| Are the documented action items assigned?  (0/1pt)
|Are the documented action items assigned?  (score 1 for yes, 0 for no)
|N/A
|-
|Is this a repeat of an earlier incident (-1 per prev occurrence)  
|0
|0
|
|-
|-
|Is there an open task that would prevent this incident / make mitigation easier if implemented? (0/-1p per task)  
| Is this a repeat of an earlier incident (score 0 for yes, 1 for no)
|0
|0
|
|-
|-
| rowspan="4" |'''Tooling'''
! rowspan="5" |Tooling
|Did the people responding have trouble communicating effectively during the incident due to the existing or lack of tooling? (0/5pt)
|Was there, before the incident occurred, open tasks that would prevent this incident / make mitigation easier if implemented? (score 0 for yes, 1 for no)
|5
|1
|
|-
|-
|Did existing monitoring notify the initial responders? (1pt)
|Were the people responding able to communicate effectively during the incident with the existing tooling? (score 1 for yes, 0 or no)
|1
|1
|
|-
|-
|Were all engineering tools required available and in service? (0/5pt)
| Did existing monitoring notify the initial responders? (score 1 for yes, 0 for no)
|5
|1
|
|-
|Were all engineering tools required available and in service? (score 1 for yes, 0 for no)
|1
|
|-
|-
|Was there a runbook for all known issues present? (0/5pt)
|Was there a runbook for all known issues present? (score 1 for yes, 0 for no)  
|5
|1
|
|-
|-
| colspan="2" |'''Total Score'''
! colspan="2" align="right" |Total score
|9
|
|
|}
|}

Latest revision as of 08:32, 29 April 2022

document status: in-review

Summary

Incident metadata (see Incident Scorecard)
Incident ID 2022-02-01 ulsfo network Start 2022-01-31 16:05
Task No task End 2022-01-31 16:08
People paged 20+ Responder count 6+
Coordinators 0 Affected metrics/SLOs
Impact For 3 minutes, clients served by the ulsfo POP were not able to contribute or display un-cached pages. 8000 errors per minute (HTTP 5xx).

A firewall change was pushed to ulsfo routers, which caused ulsfo to lose connectivity to the other POPs and core sites for 3min.

Timeline

  • 16:03 - apply configuration change on cr3-ulsfo
  • 16:05 - apply configuration change on cr4-ulsfo - outage starts
  • 16:06 - Icinga notifies about connectivity issues to ulsfo - paging
  • 16:08 - change rolled back - outage ends

Documentation:

Root cause:

The change incorrectly restricts BFD to BGP peers:

+      term allow_bfd {
+          from {
+              source-prefix-list {
+                  bgp-sessions;
+              }
+              protocol udp;
+              port 3784-3785;
+          }
+          then accept;
+      }

While BFD is also used by OSPF sessions, which caused them to be tear down. One surprising point is that the issue didn't show up in the verification commands (show ospf interfaces, show ospf neighbors), all neighbors are present.

show ospf interface   

Interface           State   Area            DR ID           BDR ID          Nbrs

ae0.2               PtToPt  0.0.0.0         0.0.0.0         0.0.0.0            1

et-0/0/1.401        PtToPt  0.0.0.0         0.0.0.0         0.0.0.0            1

xe-0/1/1.0          PtToPt  0.0.0.0         0.0.0.0         0.0.0.0            1

show ospf neighbor    

Address          Interface              State     ID               Pri  Dead

198.35.26.197    ae0.2                  Full      198.35.26.193    128    35

198.35.26.199    et-0/0/1.401           Full      198.35.26.194    128    33

198.35.26.209    xe-0/1/1.0             Full      208.80.154.198   128    34

While it was effectively down:

rpd[16292]: RPD_OSPF_NBRDOWN: OSPF neighbor 198.35.26.209 (realm ospf-v2 xe-0/1/1.0 area 0.0.0.0) state changed from Full to Down due to InActiveTimer (event reason: BFD session timed out and neighbor was declared dead)

Conclusion

  • More progressive roll out (longer wait time between each routers, as well as fewer changes at a time) could have reduced the risk of the issue happening
  • Monitoring properly caught the issue

Scorecard

Question Score Notes
People Were the people responding to this incident sufficiently different than the previous five incidents? (score 1 for yes, 0 for no) 0
Were the people who responded prepared enough to respond effectively (score 1 for yes, 0 for no) 1
Were more than 5 people paged? (score 0 for yes, 1 for no) 1
Were pages routed to the correct sub-team(s)? (score 1 for yes, 0 for no) 1
Were pages routed to online (business hours) engineers? (score 1 for yes,  0 if people were paged after business hours) 1
Process Was the incident status section actively updated during the incident? (score 1 for yes, 0 for no) 0
Was the public status page updated? (score 1 for yes, 0 for no) 0
Is there a phabricator task for the incident? (score 1 for yes, 0 for no) 0
Are the documented action items assigned?  (score 1 for yes, 0 for no) 0
Is this a repeat of an earlier incident (score 0 for yes, 1 for no) 0
Tooling Was there, before the incident occurred, open tasks that would prevent this incident / make mitigation easier if implemented? (score 0 for yes, 1 for no) 1
Were the people responding able to communicate effectively during the incident with the existing tooling? (score 1 for yes, 0 or no) 1
Did existing monitoring notify the initial responders? (score 1 for yes, 0 for no) 1
Were all engineering tools required available and in service? (score 1 for yes, 0 for no) 1
Was there a runbook for all known issues present? (score 1 for yes, 0 for no) 1
Total score 9