R3.0 2711 Ubuntu 14.04 Kilo multi-node
vn1: 10.1.1.0/24
vn2: 20.1.1.0/24
public: 10.204.219.x/29
They are connected via policy p1 :
pass protocol icmp network vn1 ports any <> network vn2 ports any services si3,si4
pass protocol tcp network vn1 ports any <> network public ports any services vsrx1
pass protocol any network any ports any <> network any ports any
SI3 and SI4 are in-network SIs.
ping from 10.1.1.3 to 20.1.1.3 fails about 50% of the time (i.e. ex : fails on alternate ping invocations)
On removing the any:any rule above, everything works fine.
Per Naveen, on nodec56 where this traffic gets dropped as Invalid Source,
the acl action for vn1 to vn2 is a 'pass' without any vrf assignment
http://nodec56.englab.juniper.net:8085/Snh_AclReq?x=40e986f9-bd26-424e-9fbe-d1b824a9e020
<?xml-stylesheet type="text/xsl" href="/universal_parse.xsl"?><__AclResp_list type="slist"><AclResp type="sandesh"><acl_list type="list" identifier="1"><list type="struct" size="1"><AclSandeshData><uuid type="string" identifier="1" link="AclFlowReq">40e986f9-bd26-424e-9fbe-d1b824a9e020</uuid><dynamic_acl type="bool" identifier="2">false</dynamic_acl><entries type="list" identifier="3"><list type="struct" size="3"><AclEntrySandeshData><ace_id type="string" identifier="1">1</ace_id><rule_type type="string" identifier="2">Terminal</rule_type><src type="string" identifier="3">default-domain:admin:vn1</src><dst type="string" identifier="4">default-domain:admin:vn2</dst><src_port_l type="list" identifier="5"><list type="struct" size="0"></list></src_port_l><dst_port_l type="list" identifier="6"><list type="struct" size="0"></list></dst_port_l><proto_l type="list" identifier="7"><list type="struct" size="1"><SandeshRange><min type="i32" identifier="1">1</min><max type="i32" identifier="2">1</max></SandeshRange></list></proto_l><action_l type="list" identifier="8"><list type="struct" size="1"><ActionStr><action type="string" identifier="1">pass</action></ActionStr></list></action_l><src_type type="string" identifier="9">network</src_type><dst_type type="string" identifier="10">network</dst_type><uuid type="string" identifier="11">987b7a2c-1986-4e02-9c13-5f5cf2021487</uuid></AclEntrySandeshData><AclEntrySandeshData><ace_id type="string" identifier="1">2</ace_id><rule_type type="string" identifier="2">Terminal</rule_type><src type="string" identifier="3">default-domain:admin:vn2</src><dst type="string" identifier="4">default-domain:admin:vn1</dst><src_port_l type="list" identifier="5"><list type="struct" size="0"></list></src_port_l><dst_port_l type="list" identifier="6"><list type="struct" size="0"></list></dst_port_l><proto_l type="list" identifier="7"><list type="struct" size="1"><SandeshRange><min type="i32" identifier="1">1</min><max type="i32" identifier="2">1</max></SandeshRange></list></proto_l><action_l type="list" identifier="8"><list type="struct" size="3"><ActionStr><action type="string" identifier="1">pass</action></ActionStr><ActionStr><action type="string" identifier="1">VRF assign</action></ActionStr><ActionStr><action type="string" identifier="1">default-domain:admin:vn2:service-c8a37c9c-0e06-4837-bf39-b559bc300f9f-default-domain_admin_si4</action></ActionStr></list></action_l><src_type type="string" identifier="9">network</src_type><dst_type type="string" identifier="10">network</dst_type><uuid type="string" identifier="11">987b7a2c-1986-4e02-9c13-5f5cf2021487</uuid></AclEntrySandeshData><AclEntrySandeshData><ace_id type="string" identifier="1">3</ace_id><rule_type type="string" identifier="2">Terminal</rule_type><src type="string" identifier="3">any</src><dst type="string" identifier="4">any</dst><src_port_l type="list" identifier="5"><list type="struct" size="1"><SandeshRange><min type="i32" identifier="1">0</min><max type="i32" identifier="2">65535</max></SandeshRange></list></src_port_l><dst_port_l type="list" identifier="6"><list type="struct" size="1"><SandeshRange><min type="i32" identifier="1">0</min><max type="i32" identifier="2">65535</max></SandeshRange></list></dst_port_l><proto_l type="list" identifier="7"><list type="struct" size="1"><SandeshRange><min type="i32" identifier="1">0</min><max type="i32" identifier="2">255</max></SandeshRange></list></proto_l><action_l type="list" identifier="8"><list type="struct" size="1"><ActionStr><action type="string" identifier="1">pass</action></ActionStr></list></action_l><src_type type="string" identifier="9">network</src_type><dst_type type="string" identifier="10">network</dst_type><uuid type="string" identifier="11">22df621e-1896-48c5-82f4-a4043dac6780</uuid></AclEntrySandeshData></list></entries><name type="string" identifier="4">default-domain:admin:vn2:vn2</name></AclSandeshData></list></acl_list><more type="bool" identifier="0">true</more></AclResp><Pagination type="sandesh"><req type="struct" identifier="1"><PageReqData><prev_page type="string" identifier="1" link="PageReq"></prev_page><next_page type="string" identifier="2" link="PageReq"></next_page><first_page type="string" identifier="3" link="PageReq">begin:0,end:99,table:db.acl.0,name:40e986f9-bd26-424e-9fbe-d1b824a9e020</first_page><all type="string" identifier="4" link="PageReq">begin:-1,end:-1,table:db.acl.0,name:40e986f9-bd26-424e-9fbe-d1b824a9e020</all><table_size type="u32" identifier="5">6</table_size><entries type="string" identifier="6">0-0/1</entries></PageReqData></req><more type="bool" identifier="0">false</more></Pagination></__AclResp_list>
ACL Configuration in agent :
=======================
type:access-control-list name:default-domain:admin:vn2:vn2 access-control-list-entries dynamic:false
acl-rule match-condition protocol:1 src-address subnet ip-prefix-len:0 virtual-network:default-domain:admin:vn1 src-port start-port:-1 end-port:-1 dst-address subnet ip-prefix-len:0 virtual-network:default-domain:admin:vn2 dst-port start-port:-1 end-port:-1 action-list simple-action:pass mirror-to udp-port:0 log:false alert:false rule-uuid:987b7a2c-1986-4e02-9c13-5f5cf2021487
acl-rule match-condition protocol:1 src-address subnet ip-prefix-len:0 virtual-network:default-domain:admin:vn2 src-port start-port:-1 end-port:-1 dst-address subnet ip-prefix-len:0 virtual-network:default-domain:admin:vn1 dst-port start-port:-1 end-port:-1 action-list simple-action:pass mirror-to udp-port:0 assign-routing-instance:default-domain:admin:vn2:service-c8a37c9c-0e06-4837-bf39-b559bc300f9f-default-domain_admin_si4 log:false alert:false rule-uuid:987b7a2c-1986-4e02-9c13-5f5cf2021487
acl-rule match-condition protocol:any src-address subnet ip-prefix-len:0 virtual-network:any src-port start-port:-1 end-port:-1 dst-address subnet ip-prefix-len:0 virtual-network:any dst-port start-port:-1 end-port:-1 action-list simple-action:pass mirror-to udp-port:0 log:false alert:false rule-uuid:22b388e8-db00-4b73-8d2b-a20816914584 id-perms permissions owner:admin owner-access:7 group:admin group-access:7 other-access:7 uuid uuid-mslong:4677418095179350606 uuid-lslong:11510868286424866848 Uuid : 40e986f9-bd26-424e-9fbe-d1b824a9e020 enable:true created:2016-02-03T05:43:47 last-modified:2016-02-08T09:05:06 user-visible:true perms2 owner:795aeecbd261408da77fc7290c05eacf owner-access:7 global-access:0 display-name:vn2 Adjacencies: virtual-network default-domain:admin:vn2
Review in progress for https:/ /review. opencontrail. org/17687
Submitter: Suresh Balineni (<email address hidden>)