Juniper Openstack

In a policy with SI action, adding a any:any allow rule causes pkt drops

Bug #1543038 reported by Vedamurthy Joshi
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R3.0
Fix Committed
High
Suresh Balineni
Juniper Openstack r3.0-fcs
Trunk
Fix Committed
High
Suresh Balineni
Juniper Openstack r3.1.0.0-fcs

Bug Description

R3.0 2711 Ubuntu 14.04 Kilo multi-node

vn1: 10.1.1.0/24
vn2: 20.1.1.0/24
public: 10.204.219.x/29

They are connected via policy p1 :

pass protocol icmp network vn1 ports any <> network vn2 ports any services si3,si4
pass protocol tcp network vn1 ports any <> network public ports any services vsrx1
pass protocol any network any ports any <> network any ports any

SI3 and SI4 are in-network SIs.

ping from 10.1.1.3 to 20.1.1.3 fails about 50% of the time (i.e. ex : fails on alternate ping invocations)

On removing the any:any rule above, everything works fine.
Per Naveen, on nodec56 where this traffic gets dropped as Invalid Source,
the acl action for vn1 to vn2 is a 'pass' without any vrf assignment

http://nodec56.englab.juniper.net:8085/Snh_AclReq?x=40e986f9-bd26-424e-9fbe-d1b824a9e020

<?xml-stylesheet type="text/xsl" href="/universal_parse.xsl"?><__AclResp_list type="slist"><AclResp type="sandesh"><acl_list type="list" identifier="1"><list type="struct" size="1"><AclSandeshData><uuid type="string" identifier="1" link="AclFlowReq">40e986f9-bd26-424e-9fbe-d1b824a9e020</uuid><dynamic_acl type="bool" identifier="2">false</dynamic_acl><entries type="list" identifier="3"><list type="struct" size="3"><AclEntrySandeshData><ace_id type="string" identifier="1">1</ace_id><rule_type type="string" identifier="2">Terminal</rule_type><src type="string" identifier="3">default-domain:admin:vn1</src><dst type="string" identifier="4">default-domain:admin:vn2</dst><src_port_l type="list" identifier="5"><list type="struct" size="0"></list></src_port_l><dst_port_l type="list" identifier="6"><list type="struct" size="0"></list></dst_port_l><proto_l type="list" identifier="7"><list type="struct" size="1"><SandeshRange><min type="i32" identifier="1">1</min><max type="i32" identifier="2">1</max></SandeshRange></list></proto_l><action_l type="list" identifier="8"><list type="struct" size="1"><ActionStr><action type="string" identifier="1">pass</action></ActionStr></list></action_l><src_type type="string" identifier="9">network</src_type><dst_type type="string" identifier="10">network</dst_type><uuid type="string" identifier="11">987b7a2c-1986-4e02-9c13-5f5cf2021487</uuid></AclEntrySandeshData><AclEntrySandeshData><ace_id type="string" identifier="1">2</ace_id><rule_type type="string" identifier="2">Terminal</rule_type><src type="string" identifier="3">default-domain:admin:vn2</src><dst type="string" identifier="4">default-domain:admin:vn1</dst><src_port_l type="list" identifier="5"><list type="struct" size="0"></list></src_port_l><dst_port_l type="list" identifier="6"><list type="struct" size="0"></list></dst_port_l><proto_l type="list" identifier="7"><list type="struct" size="1"><SandeshRange><min type="i32" identifier="1">1</min><max type="i32" identifier="2">1</max></SandeshRange></list></proto_l><action_l type="list" identifier="8"><list type="struct" size="3"><ActionStr><action type="string" identifier="1">pass</action></ActionStr><ActionStr><action type="string" identifier="1">VRF assign</action></ActionStr><ActionStr><action type="string" identifier="1">default-domain:admin:vn2:service-c8a37c9c-0e06-4837-bf39-b559bc300f9f-default-domain_admin_si4</action></ActionStr></list></action_l><src_type type="string" identifier="9">network</src_type><dst_type type="string" identifier="10">network</dst_type><uuid type="string" identifier="11">987b7a2c-1986-4e02-9c13-5f5cf2021487</uuid></AclEntrySandeshData><AclEntrySandeshData><ace_id type="string" identifier="1">3</ace_id><rule_type type="string" identifier="2">Terminal</rule_type><src type="string" identifier="3">any</src><dst type="string" identifier="4">any</dst><src_port_l type="list" identifier="5"><list type="struct" size="1"><SandeshRange><min type="i32" identifier="1">0</min><max type="i32" identifier="2">65535</max></SandeshRange></list></src_port_l><dst_port_l type="list" identifier="6"><list type="struct" size="1"><SandeshRange><min type="i32" identifier="1">0</min><max type="i32" identifier="2">65535</max></SandeshRange></list></dst_port_l><proto_l type="list" identifier="7"><list type="struct" size="1"><SandeshRange><min type="i32" identifier="1">0</min><max type="i32" identifier="2">255</max></SandeshRange></list></proto_l><action_l type="list" identifier="8"><list type="struct" size="1"><ActionStr><action type="string" identifier="1">pass</action></ActionStr></list></action_l><src_type type="string" identifier="9">network</src_type><dst_type type="string" identifier="10">network</dst_type><uuid type="string" identifier="11">22df621e-1896-48c5-82f4-a4043dac6780</uuid></AclEntrySandeshData></list></entries><name type="string" identifier="4">default-domain:admin:vn2:vn2</name></AclSandeshData></list></acl_list><more type="bool" identifier="0">true</more></AclResp><Pagination type="sandesh"><req type="struct" identifier="1"><PageReqData><prev_page type="string" identifier="1" link="PageReq"></prev_page><next_page type="string" identifier="2" link="PageReq"></next_page><first_page type="string" identifier="3" link="PageReq">begin:0,end:99,table:db.acl.0,name:40e986f9-bd26-424e-9fbe-d1b824a9e020</first_page><all type="string" identifier="4" link="PageReq">begin:-1,end:-1,table:db.acl.0,name:40e986f9-bd26-424e-9fbe-d1b824a9e020</all><table_size type="u32" identifier="5">6</table_size><entries type="string" identifier="6">0-0/1</entries></PageReqData></req><more type="bool" identifier="0">false</more></Pagination></__AclResp_list>

ACL Configuration in agent :
=======================
type:access-control-list name:default-domain:admin:vn2:vn2 access-control-list-entries dynamic:false
acl-rule match-condition protocol:1 src-address subnet ip-prefix-len:0 virtual-network:default-domain:admin:vn1 src-port start-port:-1 end-port:-1 dst-address subnet ip-prefix-len:0 virtual-network:default-domain:admin:vn2 dst-port start-port:-1 end-port:-1 action-list simple-action:pass mirror-to udp-port:0 log:false alert:false rule-uuid:987b7a2c-1986-4e02-9c13-5f5cf2021487

acl-rule match-condition protocol:1 src-address subnet ip-prefix-len:0 virtual-network:default-domain:admin:vn2 src-port start-port:-1 end-port:-1 dst-address subnet ip-prefix-len:0 virtual-network:default-domain:admin:vn1 dst-port start-port:-1 end-port:-1 action-list simple-action:pass mirror-to udp-port:0 assign-routing-instance:default-domain:admin:vn2:service-c8a37c9c-0e06-4837-bf39-b559bc300f9f-default-domain_admin_si4 log:false alert:false rule-uuid:987b7a2c-1986-4e02-9c13-5f5cf2021487

acl-rule match-condition protocol:any src-address subnet ip-prefix-len:0 virtual-network:any src-port start-port:-1 end-port:-1 dst-address subnet ip-prefix-len:0 virtual-network:any dst-port start-port:-1 end-port:-1 action-list simple-action:pass mirror-to udp-port:0 log:false alert:false rule-uuid:22b388e8-db00-4b73-8d2b-a20816914584 id-perms permissions owner:admin owner-access:7 group:admin group-access:7 other-access:7 uuid uuid-mslong:4677418095179350606 uuid-lslong:11510868286424866848 Uuid : 40e986f9-bd26-424e-9fbe-d1b824a9e020 enable:true created:2016-02-03T05:43:47 last-modified:2016-02-08T09:05:06 user-visible:true perms2 owner:795aeecbd261408da77fc7290c05eacf owner-access:7 global-access:0 display-name:vn2 Adjacencies: virtual-network default-domain:admin:vn2

Sachin Bansal (sbansal)
Changed in juniperopenstack:
assignee: Sachin Bansal (sbansal) → Suresh Balineni (sbalineni)
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/17687
Submitter: Suresh Balineni (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.0

Review in progress for https://review.opencontrail.org/17749
Submitter: Suresh Balineni (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/17687
Committed: http://github.org/Juniper/contrail-controller/commit/78745ca0de127019fc51aac3b5c56bdad0ff553a
Submitter: Zuul
Branch: master

commit 78745ca0de127019fc51aac3b5c56bdad0ff553a
Author: sbalineni <email address hidden>
Date: Tue Feb 23 14:18:52 2016 -0800

ST: Assign SC RI in reverse path when directional policy is configured

When a network policy is configured with birectional flow, ACLs should have
assign rule with SC RI in both of the directions.

For example:
if policy P1 is configured with src: vn1, dst: vn2, direction <> and applied to vn1
then ACL are generated as follows:
vn1->vn2, action: assign-vrf=>vn1-sc-ri and vn2->vn1, action: assign-vrf=>vn1-sc-ri

Also fixed a case of peering MX with BgpAsAService BGP Server/Client

Change-Id: Iab988483416b1c13fab489472f4db9e29861a64f
Closes-Bug: #1543038
Closes-Bug: #1538318

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/17749
Committed: http://github.org/Juniper/contrail-controller/commit/c061f3b7c5456a800c3da731172f6a90a19040e5
Submitter: Zuul
Branch: R3.0

commit c061f3b7c5456a800c3da731172f6a90a19040e5
Author: sbalineni <email address hidden>
Date: Tue Feb 23 14:18:52 2016 -0800

ST: Assign SC RI in reverse path when directional policy is configured

When a network policy is configured with birectional flow, ACLs should have
assign rule with SC RI in both of the directions.

For example:
if policy P1 is configured with src: vn1, dst: vn2, direction <> and applied to vn1
then ACL are generated as follows:
vn1->vn2, action: assign-vrf=>vn1-sc-ri and vn2->vn1, action: assign-vrf=>vn1-sc-ri

Also fixed a case of peering MX with BgpAsAService BGP Server/Client

Change-Id: Iab988483416b1c13fab489472f4db9e29861a64f
Closes-Bug: #1543038
Closes-Bug: #1538318

Nischal Sheth (nsheth)
tags: added: service-chain
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.