Juniper Openstack

Flows getting stuck in Hold state if icmp error received

  1. Series r2.22.x
  2. Bug #1554236
Bug #1554236 reported by amit surana
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R2.20
Fix Committed
Medium
Anand H. Krishnan
Juniper Openstack r2.23 "r2.23"
R2.21.x
Fix Committed
Medium
Anand H. Krishnan
Juniper Openstack r2.21.2
R2.22.x
Fix Committed
Medium
Anand H. Krishnan
Juniper Openstack r2.22.2
R3.0
Fix Committed
Medium
Anand H. Krishnan
Juniper Openstack r3.0.1.0
Trunk
Fix Committed
Medium
Anand H. Krishnan
Juniper Openstack r3.1.0.0-fcs

Bug Description

3.0 2723

flows are getting stuck in hold state and all icmp echo requests are dropped. happening every single time.

root@csol2-node15:~# flow -l | grep :H -B2
   108644 2001:db8:0:f101::1:129 58 (5)
                         fd67::3:2231
(Gen: 5, K(nh):25, Action:H, Flags:, S(nh):0, Stats:27/4482, SPort 0)

Topology:

VM_Left(fd66::3)-------SC-------(fd67::3)VM_Right

VM_right is pinging a v6 address that is configured on a loopback interface of VM_left (and advertised via BGP to CN; BGPaaS config).

This is a regression; used to work in a couple builds earlier.

See original description
Tags: vrouter
Revision history for this message
amit surana (asurana-t) wrote :

H flow seen only when service-vm is unable to route the packets from the right_vm to the left_vm. A default route was configured on the service VM, but it was pointing out the left interface (without a next-hop). As such the service-vm was trying to ARP for the destination out its left interface (even though its not directly connected). Failing to get back an ARP reply, the service-vm was sending back an ICMP destination unreachable error message back to the right_vm, which was causing the connection to go to H state.

amit surana (asurana-t)
summary: - IPv6 flows getting stuck in Hold state
+ Flows getting stuck in Hold state if icmp error received
amit surana (asurana-t)
description: updated
Revision history for this message
Ashok Singh (ashoksr) wrote :

For ICMPv6 destination unreachable messages, the packet trapped to agent for flow processing has incorrect source-port and destination port values. ICMP-id should be source port, but instead the source-port is ICMP6_TYPE_ECHO_REPLY (129). ICMP6_TYPE_ECHO_REPLY should be destination port, but instead destination-port is ICMP-id.

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.21.x

Review in progress for https://review.opencontrail.org/18382
Submitter: Anand H. Krishnan (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.0

Review in progress for https://review.opencontrail.org/18384
Submitter: Anand H. Krishnan (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.20

Review in progress for https://review.opencontrail.org/18387
Submitter: Anand H. Krishnan (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.22.x

Review in progress for https://review.opencontrail.org/18388
Submitter: Anand H. Krishnan (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/18391
Submitter: Anand H. Krishnan (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/18382
Committed: http://github.org/Juniper/contrail-vrouter/commit/fd45df88fc8cd9121937bb0312f27cf5b40f0e68
Submitter: Zuul
Branch: R2.21.x

commit fd45df88fc8cd9121937bb0312f27cf5b40f0e68
Author: Anand H. Krishnan <email address hidden>
Date: Mon Mar 14 12:24:49 2016 +0530

Do not swap ports for an ICMP packet inside an ICMP error

For an ICMP packet, the port numbers remain the same in either direction
i.e.: source port remains the same for both foward and the reverse flows
as does the destination port. Hence, we should not be swapping ports in
calculating the flow key while trying to tag an ICMP error packet to a
flow set up for the original stream.

Change-Id: Ic5df8aec5f1009441aefd3d177568d55f3cb0d2c
Closes-BUG: #1554236

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/18384
Committed: http://github.org/Juniper/contrail-vrouter/commit/6150505ddd04da4242d4c88bc85976aa8de1db11
Submitter: Zuul
Branch: R3.0

commit 6150505ddd04da4242d4c88bc85976aa8de1db11
Author: Anand H. Krishnan <email address hidden>
Date: Mon Mar 14 12:24:49 2016 +0530

Do not swap ports for an ICMP packet inside an ICMP error

For an ICMP packet, the port numbers remain the same in either direction
i.e.: source port remains the same for both foward and the reverse flows
as does the destination port. Hence, we should not be swapping ports in
calculating the flow key while trying to tag an ICMP error packet to a
flow set up for the original stream.

Change-Id: Ic5df8aec5f1009441aefd3d177568d55f3cb0d2c
Closes-BUG: #1554236

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/18387
Committed: http://github.org/Juniper/contrail-vrouter/commit/4c7e245687e3cdd267683ae35a94982a0eb53114
Submitter: Zuul
Branch: R2.20

commit 4c7e245687e3cdd267683ae35a94982a0eb53114
Author: Anand H. Krishnan <email address hidden>
Date: Mon Mar 14 12:24:49 2016 +0530

Do not swap ports for an ICMP packet inside an ICMP error

For an ICMP packet, the port numbers remain the same in either direction
i.e.: source port remains the same for both foward and the reverse flows
as does the destination port. Hence, we should not be swapping ports in
calculating the flow key while trying to tag an ICMP error packet to a
flow set up for the original stream.

Change-Id: Ic5df8aec5f1009441aefd3d177568d55f3cb0d2c
Closes-BUG: #1554236

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/18391
Committed: http://github.org/Juniper/contrail-vrouter/commit/afec8642ca1a3204e219e5c4bb64ed8cc6112104
Submitter: Zuul
Branch: master

commit afec8642ca1a3204e219e5c4bb64ed8cc6112104
Author: Anand H. Krishnan <email address hidden>
Date: Mon Mar 14 12:24:49 2016 +0530

Do not swap ports for an ICMP packet inside an ICMP error

For an ICMP packet, the port numbers remain the same in either direction
i.e.: source port remains the same for both foward and the reverse flows
as does the destination port. Hence, we should not be swapping ports in
calculating the flow key while trying to tag an ICMP error packet to a
flow set up for the original stream.

Change-Id: Ic5df8aec5f1009441aefd3d177568d55f3cb0d2c
Closes-BUG: #1554236

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/18388
Committed: http://github.org/Juniper/contrail-vrouter/commit/a0c2b7480e250578c28565607c22893e2298d767
Submitter: Zuul
Branch: R2.22.x

commit a0c2b7480e250578c28565607c22893e2298d767
Author: Anand H. Krishnan <email address hidden>
Date: Mon Mar 14 12:24:49 2016 +0530

Do not swap ports for an ICMP packet inside an ICMP error

For an ICMP packet, the port numbers remain the same in either direction
i.e.: source port remains the same for both foward and the reverse flows
as does the destination port. Hence, we should not be swapping ports in
calculating the flow key while trying to tag an ICMP error packet to a
flow set up for the original stream.

Change-Id: Ic5df8aec5f1009441aefd3d177568d55f3cb0d2c
Closes-BUG: #1554236

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.0

Review in progress for https://review.opencontrail.org/19037
Submitter: Manish Singh (<email address hidden>)

Revision history for this message
Manish Singh (manishs) wrote :

Last commit #17 will be in bug 1556290.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.