For the SI case, 2 sessions are logged with is_si=1 and is_client=1.
1.1.1.4(on nodec12), 2.2.2.4(on nodec62), SI(on nodec62)
This is tested with transparent firewall SI-v2.
root@nodec62:~# flow -l --match 1.1.1.4,2.2.2.4
Flow table(size 80609280, entries 629760)
Entries: Created 543526 Added 543526 Deleted 1086862 Changed 1086862 Processed 543526 Used Overflow entries 0
(Created Flows/CPU: 137297 134750 134608 136871)(oflows 0)
Action:F=Forward, D=Drop N=NAT(S=SNAT, D=DNAT, Ps=SPAT, Pd=DPAT, L=Link Local Port)
Other:K(nh)=Key_Nexthop, S(nh)=RPF_Nexthop
Flags:E=Evicted, Ec=Evict Candidate, N=New Flow, M=Modified Dm=Delete Marked
TCP(r=reverse):S=SYN, F=FIN, R=RST, C=HalfClose, E=Established, D=Dead
Listing flows matching ([1.1.1.4]:*, [2.2.2.4]:*)
Index Source:Port/Destination:Port Proto(V)
-----------------------------------------------------------------------------------
33660<=>366252 1.1.1.4:4902 1 (7->7)
2.2.2.4:0
(Gen: 1, K(nh):69, Action:F, Flags:, QOS:-1, S(nh):69, Stats:1/102, SPort 49826,
TTL 0, Sinfo 7.0.0.0)
277580<=>461744 1.1.1.4:4902 1 (6->6)
2.2.2.4:0
(Gen: 18, K(nh):68, Action:F, Flags:, QOS:-1, S(nh):52, Stats:0/0, SPort 49527,
TTL 0, Sinfo 0.0.0.0)
366252<=>33660 2.2.2.4:4902 1 (5->7)
1.1.1.4:0
(Gen: 2, K(nh):33, Action:F, Flags:, QOS:-1, S(nh):33, Stats:1/98, SPort 55945,
TTL 0, Sinfo 5.0.0.0)
461744<=>277580 2.2.2.4:4902 1 (6->6)
1.1.1.4:0
(Gen: 1, K(nh):68, Action:F, Flags:, QOS:-1, S(nh):68, Stats:1/102, SPort 61673,
TTL 0, Sinfo 4.0.0.0)
root@nodec62:~# grep -a SessionEndpointObject /var/log/contrail/contrail-vrouter-agent.log | grep -a "2.2.2.4"| grep "1.1.1.4"
2017-10-31 Tue 11:13:45:272.542 IST nodec62 [Thread 140329148450560, Pid 9391]: [SYS_INFO]: SessionEndpointObject: session_data= [ [
[ vmi = default-domain:admin:38e7244c-26b9-4f74-8444-bde46a29815e vn = default-domain:admin:vn1 security_policy_rule = 00000000-0000-0000-0000-000000000001 remote_vn = default-domain:admin:vn2 is_client_session = 1 is_si = 1 remote_prefix = 2.2.2.4/32 vrouter_ip = 10.204.217.102 sess_agg_info= [ [ [ ip = 1.1.1.4 port = 0 protocol = 1 ] [ sampled_forward_bytes = 102 sampled_forward_pkts = 1 sampled_reverse_bytes = 98 sampled_reverse_pkts = 1 logged_forward_bytes = 102 logged_forward_pkts = 1 logged_reverse_bytes = 98 logged_reverse_pkts = 1 sessionMap= [ [ [ ip = 2.2.2.4 port = 4902 ] [ forward_flow_info= [ sampled_bytes = 102 sampled_pkts = 1 logged_bytes = 102 logged_pkts = 1 flow_uuid = 4128a820-3429-49ca-a1ea-f3d90f6fd354 tcp_flags = 0 setup_time = 1509428625135791 teardown_time = 0 action = pass|VRF assign sg_rule_uuid = f5f606ed-21c5-40b4-96b9-54f4f4939900 nw_ace_uuid = 874ab189-0d13-4dcd-a303-2a40c902c24e underlay_source_port = 49826 drop_reason = 0 ] reverse_flow_info= [ sampled_bytes = 98 sampled_pkts = 1 logged_bytes = 98 logged_pkts = 1 flow_uuid = c6629d4b-afda-4ddc-839c-84a63acb5c8c tcp_flags = 0 setup_time = 1509428625135791 teardown_time = 0 action = pass|VRF assign sg_rule_uuid = 32e756cf-53ef-4233-80cf-681c0f2ad628 nw_ace_uuid = 874ab189-0d13-4dcd-a303-2a40c902c24e underlay_source_port = 55945 drop_reason = 0 ] vm = 26245d2c-cb76-448b-9ad0-5099d521e2e1 other_vrouter_ip = 10.204.217.102 underlay_proto = 0 ], ] ] ], ] ] ],
[ vmi = default-domain:admin:9bb6fad1-1138-4214-aeec-1b1f4dac6266 vn = default-domain:admin:vn2 security_policy_rule = 00000000-0000-0000-0000-000000000001 remote_vn = default-domain:admin:vn1 is_client_session = 1 is_si = 1 remote_prefix = 1.1.1.4/32 vrouter_ip = 10.204.217.102 sess_agg_info= [ [ [ ip = 2.2.2.4 port = 0 protocol = 1 ] [ sampled_forward_bytes = 102 sampled_forward_pkts = 1 sampled_reverse_bytes = 0 sampled_reverse_pkts = 0 logged_forward_bytes = 102 logged_forward_pkts = 1 logged_reverse_bytes = 0 logged_reverse_pkts = 0 sessionMap= [ [ [ ip = 1.1.1.4 port = 4902 ] [ forward_flow_info= [ sampled_bytes = 102 sampled_pkts = 1 logged_bytes = 102 logged_pkts = 1 flow_uuid = 193167bb-3c20-4d66-b9c2-dec63f926939 tcp_flags = 0 setup_time = 1509428625136524 teardown_time = 0 action = pass|VRF assign sg_rule_uuid = f5f606ed-21c5-40b4-96b9-54f4f4939900 nw_ace_uuid = 874ab189-0d13-4dcd-a303-2a40c902c24e underlay_source_port = 61673 drop_reason = 0 ] reverse_flow_info= [ flow_uuid = 2f91ebf3-1079-484b-9760-e24d1d09b413 setup_time = 1509428625136524 teardown_time = 0 action = pass|VRF assign sg_rule_uuid = f5f606ed-21c5-40b4-96b9-54f4f4939900 nw_ace_uuid = 874ab189-0d13-4dcd-a303-2a40c902c24e drop_reason = 0 ] vm = 26245d2c-cb76-448b-9ad0-5099d521e2e1 other_vrouter_ip = 10.204.216.69 underlay_proto = 2 ], ] ] ], ] ] ],
[ vmi = default-domain:admin:aa208e72-691c-4ccd-b725-459aee872957 vn = default-domain:admin:vn2 security_policy_rule = 00000000-0000-0000-0000-000000000001 remote_vn = default-domain:admin:vn1 is_client_session = 0 is_si = 0 remote_prefix = 1.1.1.4/32 vrouter_ip = 10.204.217.102 sess_agg_info= [ [ [ ip = 2.2.2.4 port = 4902 protocol = 1 ] [ sampled_forward_bytes = 98 sampled_forward_pkts = 1 sampled_reverse_bytes = 102 sampled_reverse_pkts = 1 logged_forward_bytes = 98 logged_forward_pkts = 1 logged_reverse_bytes = 102 logged_reverse_pkts = 1 sessionMap= [ [ [ ip = 1.1.1.4 port = 0 ] [ forward_flow_info= [ sampled_bytes = 98 sampled_pkts = 1 logged_bytes = 98 logged_pkts = 1 flow_uuid = c6629d4b-afda-4ddc-839c-84a63acb5c8c tcp_flags = 0 setup_time = 1509428625135653 teardown_time = 0 action = pass|VRF assign sg_rule_uuid = 32e756cf-53ef-4233-80cf-681c0f2ad628 nw_ace_uuid = 874ab189-0d13-4dcd-a303-2a40c902c24e underlay_source_port = 55945 drop_reason = 0 ] reverse_flow_info= [ sampled_bytes = 102 sampled_pkts = 1 logged_bytes = 102 logged_pkts = 1 flow_uuid = 4128a820-3429-49ca-a1ea-f3d90f6fd354 tcp_flags = 0 setup_time = 1509428625135653 teardown_time = 0 action = pass|VRF assign sg_rule_uuid = f5f606ed-21c5-40b4-96b9-54f4f4939900 nw_ace_uuid = 874ab189-0d13-4dcd-a303-2a40c902c24e underlay_source_port = 49826 drop_reason = 0 ] vm = b702ea3b-b110-4fc7-ac02-8851e87d1afe other_vrouter_ip = 10.204.217.102 underlay_proto = 0 ], ] ] ], ] ] ], ] ]
Also note that, vmi 9bb6fad1-1138-4214-aeec-1b1f4dac6266 is 1.1.1.5(vn1) but vn mentioned in the session is default-domain:admin:vn2 and remote vn is default-domain:admin:vn1.
Two sessions are seen, but each session is on different VMI. As the traffic is passing through these VMIs, the sessions are seen. Having two sessions is not an issue.
However, the session on left interface has incorrect VN information. This happens because flows are not getting created in the forward path for left interface. Instead flows are getting created for reverse path. Reason for flows not getting created in forward path is, Vlan NH always has policy disabled. The fix is to ensure that Vlan NH inherits policy status from its associated interface.