vRouter discards packets if svc-chain cfgd between FIP VNs
| Affects | Status | Importance | Assigned to | Milestone | ||
|---|---|---|---|---|---|---|
| Juniper Openstack | Status tracked in Trunk | |||||
| R2.20.x |
Won't Fix
|
Medium
|
Naveen N | |||
| R3.0 |
Fix Committed
|
Medium
|
Naveen N | |||
| Trunk |
Fix Committed
|
Medium
|
Naveen N | |||
Bug Description
Unable to setup service-chain between floating IPs of two VMs. The floating IPs for each VM comes from different FIP pools.
left_vm—
Left_vm pings right VMs FIP. The echo request packet is dropped by the vRouter hosting the right_vm. The vrf translate looks to be wrong. The incoming packet belongs to vrf 1 and the vrf translate says go to vrf 20.
Post DNAT (6.1.2.3 to 5.1.2.3), there is no route for 5.1.2.3 in vrf 20 (which is the FIP vrf). The vrf translate should've been 1->1.
left_vm: 5.1.1.6, FIP: 6.1.1.6
right_vm: 5.1.2.3, FIP: 6.1.2.3
listening on bond0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:42:17.756356 90:e2:ba:5e:a0:04 > 90:e2:ba:4c:67:f8, ethertype IPv4 (0x0800), length 126: 172.16.180.13 > 172.16.180.15: GREv0, proto MPLS unicast (0x8847), length 92: MPLS (label 76, exp 0, [S], ttl 61) 6.1.1.6 > 6.1.2.3: ICMP echo request, id 9229, seq 19305, length 64
13:42:18.764439 90:e2:ba:5e:a0:04 > 90:e2:ba:4c:67:f8, ethertype IPv4 (0x0800), length 126: 172.16.180.13 > 172.16.180.15: GREv0, proto MPLS unicast (0x8847), length 92: MPLS (label 76, exp 0, [S], ttl 61) 6.1.1.6 > 6.1.2.3: ICMP echo request, id 9229, seq 19306, length 64
^C
2 packets captured
3 packets received by filter
0 packets dropped by kernel
root@csol2-
root@csol2-
root@csol2-
MPLS Input Label Map
Label NextHop
-------------------
76 201
root@csol2-
Id:201 Type:Encap Fmly: AF_INET Rid:0 Ref_cnt:6 Vrf:1
Encap Data: 02 34 77 2c 39 68 00 00 5e 00 01 00 08 00
root@csol2-
Index Source:
-------
72<=>412228 6.1.1.6:9229 1 (1->20)
(Gen: 8, K(nh):201, Action:N(D), Flags:, S(nh):47, Stats:19331/
--
412228<=>72 5.1.2.3:9229 1 (1->20)
(Gen: 6, K(nh):201, Action:N(S), Flags:, S(nh):201, Stats:0/0, SPort 64393)
| tags: | added: service-chain |
| description: | updated |
| amit surana (asurana-t) wrote | #1 |
| OpenContrail Admin (ci-admin-f) wrote [Review update] master | #2 |
| OpenContrail Admin (ci-admin-f) wrote [Review update] R3.0 | #4 |
| OpenContrail Admin (ci-admin-f) wrote [Review update] master | #6 |
| OpenContrail Admin (ci-admin-f) wrote A change has been merged | #10 |
| OpenContrail Admin (ci-admin-f) wrote [Review update] master | #11 |
| OpenContrail Admin (ci-admin-f) wrote A change has been merged | #15 |
| OpenContrail Admin (ci-admin-f) wrote [Review update] R3.0 | #16 |
| OpenContrail Admin (ci-admin-f) wrote A change has been merged | #18 |
The vrf translate looks to be wrong. The incoming packet falls in vrf 1 and the vrf translate says go to vrf 20. Post DNAT (6.1.2.3 to 5.1.2.3), there is no route for 5.1.2.3 in vrf 20 (which is the FIP vrf) and so the packet is discarded. The vrf translate should've been
1->1.
Furthermore:
1) This bug is seen even if the source VM is in the left_fip_vn (meaning, not NAT for source VM).
2) This bug is only seen if there is a service-chain connecting right_fip_vn and left_fip_vn. If the two VNs are connected via a regular network policy, the vrf translate rule is setup correctly on the destination compute.