Juniper Openstack

disable policy knob requires multihop config on VM (TTL=1 dropped)

  1. Series r3.2
  2. Bug #1737963
Bug #1737963 reported by richard roberts
26
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R3.2
New
High
N Anand Rao
R4.1
New
Medium
N Anand Rao
R5.0
Won't Fix
High
N Anand Rao
Juniper Openstack r5.0.1
Trunk
Fix Committed
High
N Anand Rao
Juniper Openstack r5.1.0

Bug Description

when testing Customer VNF in vanilla bgpaas peering configuration (from VMI to VROUTER IP in eBGP mode), peering were broken/not re-established when activating the disable-policy knob.

The trace below is self explanatory:
- SYN from VM (26.1.23.10) sent to vrouter (26.1.23.254) with TTL=1 (eBGP single hop)
- ICMP TTL exceeded generated with HOST MAC (not vrouter MAC) toward VM

11:20:17.733109 02:4d:10:bf:86:3b > 00:00:5e:00:01:00, ethertype IPv4 (0x0800), length 78: (tos 0xc0, ttl 1, id 30612, offset 0, flags [none], proto TCP (6), length 64)
    26.1.23.10.51092 > 26.1.23.254.bgp: Flags [S], cksum 0xe9ba (correct), seq 2347135884, win 32768, options [mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,TS val 1548650 ecr 0], length 0
11:20:17.733242 40:5c:fd:14:c0:5e > 02:4d:10:bf:86:3b, ethertype IPv4 (0x0800), length 106: (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto ICMP (1), length 92)
    26.1.23.254 > 26.1.23.10: ICMP time exceeded in-transit, length 72

In other words changing from flow based forwarding to packet based forwarding changes the control of TTL checks.

This is a bug, as both vrouter/VM are in a same subnet and should be fixed as it is quite misleading.

Workaround for now is to configure multihop in the VNF.

richard roberts (robric35)
information type: Proprietary → Public
Jeba Paulaiyan (jebap)
tags: added: config
Revision history for this message
Hari Prasad Killi (haripk) wrote :

When policy is enabled, the relevant flow entry is updated with an updated TTL (when the original packet has ttl = 1). When policy is disabled, this action is not taken resulting in ttl becoming zero due to vrouter action and an ICMP being sent. Need to update vrouter to handle this differently (update TTL or not decrement TTL).

tags: added: vrouter
removed: config
Jeba Paulaiyan (jebap)
tags: added: releaseblocker
Revision history for this message
sangarshan p (sangarshp) wrote :

we need to handle this case in vrouter, risk of fix is high. so we need to explore further on fixing this issue , will plan fixing this issue in next release.

Revision history for this message
richard roberts (robric35) wrote :

changing priority - this needs to be fixed.

Revision history for this message
sangarshan p (sangarshp) wrote :

will not fix on branch 5.0.1 due to vrouter stability issues

N Anand Rao (anandrao79)
tags: added: inmarsat
Revision history for this message
Sivakumar Ganapathy (hotlava51) wrote :

when new packet is received, vrouter checks policy information, if policy is enabled, it traps the packet to Agent for flow creation, otherwise it decrements the TTL and traps the packet to agent for flow creation. So, in single hop and policy disabled case, packets are getting dropped in vrouter due to TTL expiry and flows are not created. Customer is expecting consistent behavior in policy enable/disable case. We need to change the logic in vrouter.

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/48931
Submitter: N Anand Rao (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/48931
Committed: http://github.com/Juniper/contrail-vrouter/commit/3e7d1ff921c124c6b8f5cb4a1068f5050f0c624b
Submitter: Zuul v3 CI (<email address hidden>)
Branch: master

commit 3e7d1ff921c124c6b8f5cb4a1068f5050f0c624b
Author: Anand Narayanan Rao <email address hidden>
Date: Mon Jan 28 13:09:28 2019 +0530

Do not decrement TTL while doing L3 forward to agent pkt0

In BGPaaS in pkt mode, the pkt will be L3 routed with the NH
pointing to pkt0 or GW interface at one stage (before NAT).
In single hop BGPaaS case, since the TTL is decremented in
vr_forward() during L3 routing, the pkt is dropped later
since the TTL becomes 0. This leads to BGP session not
coming up at all.

Change-Id: I68d482a903de9067464d75fe269d74f9d2beaf67
Closes-Bug: #1737963
closes-jira-bug:#JCB-199874

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R5.0

Review in progress for https://review.opencontrail.org/49009
Submitter: N Anand Rao (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/49009
Committed: http://github.com/Juniper/contrail-vrouter/commit/1e48ed01c8db34147f851e4e86c32d884a5a9b9f
Submitter: Zuul v3 CI (<email address hidden>)
Branch: R5.0

commit 1e48ed01c8db34147f851e4e86c32d884a5a9b9f
Author: Anand Narayanan Rao <email address hidden>
Date: Mon Jan 28 13:09:28 2019 +0530

Do not decrement TTL while doing L3 forward to agent pkt0

In BGPaaS in pkt mode, the pkt will be L3 routed with the NH
pointing to pkt0 or GW interface at one stage (before NAT).
In single hop BGPaaS case, since the TTL is decremented in
vr_forward() during L3 routing, the pkt is dropped later
since the TTL becomes 0. This leads to BGP session not
coming up at all.

Change-Id: I68d482a903de9067464d75fe269d74f9d2beaf67
Closes-Bug: #1737963
closes-jira-bug:#JCB-199874
(cherry picked from commit 3e7d1ff921c124c6b8f5cb4a1068f5050f0c624b)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.