Implement throttling in the oracle route advertisement

Hi,

We are often getting throttling errors on route advertisement in OCI. We get a “TooManyRequests” message.

[silicon-8538][2026-01-26 10:33:32,057][ERROR] Failed to add vpc route
Traceback (most recent call last):
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/server/instance.py”, line 1458, in reserve_route_advertisement
utils.oracle_add_route(network)
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/utils/oracle.py”, line 123, in oracle_add_route
vnet_client.update_route_table(table.id, table_opts)

raise exceptions.TransientServiceError(

oci.exceptions.TransientServiceError: {‘target_service’: ‘virtual_network’, ‘status’: 429, ‘code’: ‘TooManyRequests’, ‘opc-request-id’: ‘A4C5D2BFDD3544D9BA5C
17C085F9D386/77085C9C4CB1DCB3EC3477694344472A/81AE03D382B5A3CA297F31DCC2533874’, ‘message’: ‘Too many requests for the tenant’, ‘operation_name’: ‘update_rou
te_table’, ‘timestamp’: ‘2026-01-26T09:33:32.055752+00:00’, ‘client_version’: ‘Oracle-PythonSDK/2.144.0’, ‘request_endpoint’: ‘PUT https://iaas.eu-paris-1.or
aclecloud.com/20160918/routeTables/ocid1.routetable.oc1.eu-paris-1.aaaaaaaa’, ‘logging_tips’: ‘To get mor
e info on the failing request, refer to 
 for ways to log the request/response details.’, ’
troubleshooting_tips’: “See 
 for more information about r
esolving this error. Also see 
 for details on this operation’s requirements. I
f you are unable to resolve this virtual_network issue, please contact Oracle support and provide them this full error message.”}

The problem then is that the advertisement is only half done, it will fail and we will get a message about every 5 minutes with Invalid Parameter errors because Pritunl is trynig to re-add existing routes. Only solution is then to remove manually all the routes added by pritunl on all the VCN route tables and start again.

[silicon-8538][2026-01-26 01:20:31,717][ERROR] Failed to add vpc route
Traceback (most recent call last):
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/server/instance.py”, line 1458, in reserve_route_advertisement
utils.oracle_add_route(network)
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/utils/oracle.py”, line 123, in oracle_add_route
vnet_client.update_route_table(table.id, table_opts)
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/oci/core/virtual_network_client.py”, line 27709, in update_route_table
return self.base_client.call_api(
oci.exceptions.ServiceError: {‘target_service’: ‘virtual_network’, ‘status’: 400, ‘code’: ‘InvalidParameter’, ‘opc-request-id’: ‘BC5503C6FE4944E08DAD7F7A2BD45F57/376017FDE6311BCC4FB37669434447F6/6F05978C5E8A15ECA6B293CD6CA20A7C’, ‘message’: ‘Duplicate rule found with route table id ocid1.routetable.oc1.eu-paris-1.aaaaaaaa, destination 172.17.100.0/24 and destination type CidrBlock’, ‘operation_name’: ‘update_route_table’, ‘timestamp’: ‘2026-01-26T00:20:31.717033+00:00’, ‘client_version’: ‘Oracle-PythonSDK/2.144.0’, ‘request_endpoint’: ‘PUT ``https://iaas.eu-paris-1.oraclecloud.com/20160918/routeTables/ocid1.routetable.oc1.eu-paris-1.aaaaaaaa’``, ‘logging_tips’: ‘To get more info on the failing request, refer to https://docs.oracle.com/en-us/iaas/tools/python/latest/logging.html` for ways to log the request/response details.’, ‘troubleshooting_tips’: “See https://docs.oracle.com/iaas/Content/API/References/apierrors.htm#apierrors_400__400_invalidparameter for more information about resolving this error. Also see https://docs.oracle.com/iaas/api/#/en/iaas/20160918/RouteTable/UpdateRouteTable for details on this operation’s requirements. If you are unable to resolve this virtual_network issue, please contact Oracle support and provide them this full error message.”}`

I believe the problem is twofold

• The API calls are limited, I think I read 10 calls/sec somewhere ? So there should be a limitation, or better a detection of throttled responses from the server with a back off timer

• Pritunl updated all 6 routes of our VCN, and added 2 routes (VxLAN + local Network) in each so it’s 12 calls, and I believe it should only update the VCN route table of the DRG attachement used by the Pritunl server. The computing instance gives the routing table and the routing table the DRG. Next you need to go the Gateways of the VCN and only update the routing table of the attachments using that same DRG. This should add routes only in the needed tables.

drg1424×133 11.6 KB

This may be from an incorrect configuration. Generally there should be only the VPN virtual network configured with route advertisement. The other routes should not have the option enabled.

Hi,

No I believe the configuration is OK

pi11053×121 5.83 KB

The server will try to add the 172.17.100.0 route + the VxVLAN route to all our VCN route tables

example

pi2964×144 8.05 KB

And it seems you do upgrade all tables of the VCN in oracle.py

tables = vnet_client.list_route_tables(
    compartment_id=mdata['compartment_ocid'],
    vcn_id=vcn_ocid,
)
...
for table in tables.data:
    exists = False
    replace = False
    .......

I think the simplest solution would be to add a 200ms sleep after each call to the OCI API , it would throttle calls de 5/sec avoiding any issue.

I will add a 300ms delay to the Oracle Cloud API calls. It may take some time to get this tested I currently only have the production Oracle Cloud account available that can’t be used for testing. Also you should disable the feature until this is fixed unless you have an annual contract account with Oracle Cloud. It was a similar issue that caused my pay-as-you-go testing account to be disabled when developing the DNS feature. The pay-as-you-go accounts have low rate limits and will be disabled for excessive usage.

maybe that’s it, it’s not an annual contract it’s a pay as you go. Didn’t know they were considered subclass accounts though, thanks

maybe that’s it, it’s not an annual contract it’s a pay as you go. Didn’t know they were considered subclass accounts though, thanks

hi , any news on this ?

We downloaded lastest stable build (on OL 9 in OCI, now SELinux is broken by the way), and the code still upgrades all 6 route tables of the VCN instead of the one which is setup in the attachment,

image1243×352 32.9 KB

So we’re getting throttled and the route update doesn’t work if there is an issue with as server.

Wouldn’t it be simpler to just add the ocid of the routing table needing to be updated and be done ?

We’re trying to get all this working now for nearly one year (our first invoices are from may 2025) and a basic setup with 2 servers connected in replication with on-premise server still doesn’t work and we can’t go live with our setup and 200 users.

Any way we could this to work once and for all ?

Thanks

I have added the option sudo pritunl set app.oracle_subnet_only true this will configure the server to only update the routing table attached to the subnet the Pritunl server is on. This won’t be the default so this command will need to be run to update it. This will be included in the next release.

The current release did include the API delays to reduce the rate of requests. When testing I did not see any issues with rate limits. I did try to create a pay as you go account for testing but they will not allow me to have a second account. If you have a new account it may still be in the free tier stage which has significantly lower limits but overall Oracle Cloud is not a very good platform unless you transition the account to universal credits. None of the usage in Pritunl should come close to any API limits.

ok thanks, so I guess for now it’s only available on unstable repo ?

Isn’t there an issue with the repos ? The unstable has same files and date than stable

image693×642 26.7 KB

There was a typo in the repo configuration. The label was incorrectly copied from the stable configuration. But it is still two different sets, this will get fixed in the next build. The build process uploads to unstable first then the same packages are copied to the stable so the files will be the same with different timestamps. Right now unstable has no builds that haven’t been moved to stable so it will all be the same.

If you are looking for the Pritunl v1.34 build, it hasn’t completed yet. This build is migrating to Python 3.12 and it is taking additional time to resolve build issues on the RHEL 7 builds which required several modifications to bundle Python 3.12. Also this was already put into a release before the changes mentioned earlier, those changes won’t be included until the next release.

OK I tried version on the latest source and tried usin g the set app.oracle_subnet_only true but it does not work because

• it will add the good routes on the routing table of the subnet
• subnet routes typically contain routes to the outer world
• the routes actually need to be added on the route of the attachment : we are dealing with return routes here so the routing question appears when the packets arrive on the VCN from the IPSEC attachment
• 

  image1612×430 35.7 KB
• You cannot add route tables containing route to the external world on an attachment
• 

  image1436×472 60.4 KB
• So you cannot add a subnet route to the attachment
• We actually need to be able to modify only the route of the attachment

Like I previously mentioned, I think the simplest way it to be able to set the OCID of the route table we want to modify, or in a more elgant way, to update only the route tables of all attachments, not all route tables.

I tried using

route_table = 'ocid1.routetable.oc1.eu-paris-1.xxxxxxxxxxxxxxxxxxxxxxxxxxxx'
table = _oci_get(
        '%s/routeTables/%s' % (base_url, route_table),
        mdata,
    )

And everything works great now, routes are added automatically when servers get shutdown, we can access all our onprem servers

I think the correct way (in CLI) is

1. Get the VCN id
2. List attachments , and for each attachment attached to the VCN, update the corresponding route table

image748×424 17.6 KB

The next release will have an option in the advanced route settings to supply a comma separated list of routing table IDs to override the default automatic selection.