RPKI Cache Connection -- Broken?

jof · February 1, 2024, 6:43am

I’m running a rolling 1.5 release of VyOS locally built.

I’m experiencing a strange issue where VyOS appears to be generating legitimate-looking FRR config for an RPKI cache, but no matter what I seem to try, it doesn’t seem to actually generate the connection to the cache.

Example VyOS config:

set protocols rpki cache 192.0.2.1 port '3323'
set protocols rpki cache 192.0.2.1 preference '1'

Which results in FRR config like:

rpki
 rpki polling_period 300
 rpki cache 192.33.255.19 3323 preference 1
exit

And bgpd is running with the added module. From the process list:

/usr/lib/frr/bgpd -d -F traditional --daemon -A 127.0.0.1 -M rpki

But it just never seems to try and connect:

edge-gw.sfo02# show rpki cache-connection
No connection to RPKI cache server.

edge-gw.sfo02# show rpki cache-server
host: 192.0.2.1 port: 3323, preference: 1

Even though I have a route to the cache server and can ping it just fine.

Are there any special tricks to getting RPKI to start speaking RTR?

Viacheslav · February 1, 2024, 7:15am

It seems known old FRR bug ⚓ T2044 RPKI doesn't boot properly

jof · February 1, 2024, 7:21am

Yeah, after a bit of debugging, that is a good tip – it seems like my FRR daemons startup just fine with -M rpki on my bgpd, but it does seem required to run rpki stop / rpki start to get it to connect.