Juniper Openstack

[R4.1-24]: session logging: Incorrect VN information seen for sessions on transparent SI VMIs

  1. Series r4.1
  2. Bug #1728802
Bug #1728802 reported by alok kumar
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R4.1
New
Medium
Ashok Singh
R5.0
New
Medium
N Anand Rao
Trunk
New
Medium
Ashok Singh

Bug Description

For the SI case, 2 sessions are logged with is_si=1 and is_client=1.

1.1.1.4(on nodec12), 2.2.2.4(on nodec62), SI(on nodec62)
This is tested with transparent firewall SI-v2.

root@nodec62:~# flow -l --match 1.1.1.4,2.2.2.4
Flow table(size 80609280, entries 629760)

Entries: Created 543526 Added 543526 Deleted 1086862 Changed 1086862 Processed 543526 Used Overflow entries 0
(Created Flows/CPU: 137297 134750 134608 136871)(oflows 0)

Action:F=Forward, D=Drop N=NAT(S=SNAT, D=DNAT, Ps=SPAT, Pd=DPAT, L=Link Local Port)
 Other:K(nh)=Key_Nexthop, S(nh)=RPF_Nexthop
 Flags:E=Evicted, Ec=Evict Candidate, N=New Flow, M=Modified Dm=Delete Marked
TCP(r=reverse):S=SYN, F=FIN, R=RST, C=HalfClose, E=Established, D=Dead

Listing flows matching ([1.1.1.4]:*, [2.2.2.4]:*)

    Index Source:Port/Destination:Port Proto(V)
-----------------------------------------------------------------------------------
    33660<=>366252 1.1.1.4:4902 1 (7->7)
                         2.2.2.4:0
(Gen: 1, K(nh):69, Action:F, Flags:, QOS:-1, S(nh):69, Stats:1/102, SPort 49826,
 TTL 0, Sinfo 7.0.0.0)

   277580<=>461744 1.1.1.4:4902 1 (6->6)
                         2.2.2.4:0
(Gen: 18, K(nh):68, Action:F, Flags:, QOS:-1, S(nh):52, Stats:0/0, SPort 49527,
 TTL 0, Sinfo 0.0.0.0)

   366252<=>33660 2.2.2.4:4902 1 (5->7)
                         1.1.1.4:0
(Gen: 2, K(nh):33, Action:F, Flags:, QOS:-1, S(nh):33, Stats:1/98, SPort 55945,
 TTL 0, Sinfo 5.0.0.0)

   461744<=>277580 2.2.2.4:4902 1 (6->6)
                         1.1.1.4:0
(Gen: 1, K(nh):68, Action:F, Flags:, QOS:-1, S(nh):68, Stats:1/102, SPort 61673,
 TTL 0, Sinfo 4.0.0.0)

root@nodec62:~# grep -a SessionEndpointObject /var/log/contrail/contrail-vrouter-agent.log | grep -a "2.2.2.4"| grep "1.1.1.4"
2017-10-31 Tue 11:13:45:272.542 IST nodec62 [Thread 140329148450560, Pid 9391]: [SYS_INFO]: SessionEndpointObject: session_data= [ [

[ vmi = default-domain:admin:38e7244c-26b9-4f74-8444-bde46a29815e vn = default-domain:admin:vn1 security_policy_rule = 00000000-0000-0000-0000-000000000001 remote_vn = default-domain:admin:vn2 is_client_session = 1 is_si = 1 remote_prefix = 2.2.2.4/32 vrouter_ip = 10.204.217.102 sess_agg_info= [ [ [ ip = 1.1.1.4 port = 0 protocol = 1 ] [ sampled_forward_bytes = 102 sampled_forward_pkts = 1 sampled_reverse_bytes = 98 sampled_reverse_pkts = 1 logged_forward_bytes = 102 logged_forward_pkts = 1 logged_reverse_bytes = 98 logged_reverse_pkts = 1 sessionMap= [ [ [ ip = 2.2.2.4 port = 4902 ] [ forward_flow_info= [ sampled_bytes = 102 sampled_pkts = 1 logged_bytes = 102 logged_pkts = 1 flow_uuid = 4128a820-3429-49ca-a1ea-f3d90f6fd354 tcp_flags = 0 setup_time = 1509428625135791 teardown_time = 0 action = pass|VRF assign sg_rule_uuid = f5f606ed-21c5-40b4-96b9-54f4f4939900 nw_ace_uuid = 874ab189-0d13-4dcd-a303-2a40c902c24e underlay_source_port = 49826 drop_reason = 0 ] reverse_flow_info= [ sampled_bytes = 98 sampled_pkts = 1 logged_bytes = 98 logged_pkts = 1 flow_uuid = c6629d4b-afda-4ddc-839c-84a63acb5c8c tcp_flags = 0 setup_time = 1509428625135791 teardown_time = 0 action = pass|VRF assign sg_rule_uuid = 32e756cf-53ef-4233-80cf-681c0f2ad628 nw_ace_uuid = 874ab189-0d13-4dcd-a303-2a40c902c24e underlay_source_port = 55945 drop_reason = 0 ] vm = 26245d2c-cb76-448b-9ad0-5099d521e2e1 other_vrouter_ip = 10.204.217.102 underlay_proto = 0 ], ] ] ], ] ] ],

[ vmi = default-domain:admin:9bb6fad1-1138-4214-aeec-1b1f4dac6266 vn = default-domain:admin:vn2 security_policy_rule = 00000000-0000-0000-0000-000000000001 remote_vn = default-domain:admin:vn1 is_client_session = 1 is_si = 1 remote_prefix = 1.1.1.4/32 vrouter_ip = 10.204.217.102 sess_agg_info= [ [ [ ip = 2.2.2.4 port = 0 protocol = 1 ] [ sampled_forward_bytes = 102 sampled_forward_pkts = 1 sampled_reverse_bytes = 0 sampled_reverse_pkts = 0 logged_forward_bytes = 102 logged_forward_pkts = 1 logged_reverse_bytes = 0 logged_reverse_pkts = 0 sessionMap= [ [ [ ip = 1.1.1.4 port = 4902 ] [ forward_flow_info= [ sampled_bytes = 102 sampled_pkts = 1 logged_bytes = 102 logged_pkts = 1 flow_uuid = 193167bb-3c20-4d66-b9c2-dec63f926939 tcp_flags = 0 setup_time = 1509428625136524 teardown_time = 0 action = pass|VRF assign sg_rule_uuid = f5f606ed-21c5-40b4-96b9-54f4f4939900 nw_ace_uuid = 874ab189-0d13-4dcd-a303-2a40c902c24e underlay_source_port = 61673 drop_reason = 0 ] reverse_flow_info= [ flow_uuid = 2f91ebf3-1079-484b-9760-e24d1d09b413 setup_time = 1509428625136524 teardown_time = 0 action = pass|VRF assign sg_rule_uuid = f5f606ed-21c5-40b4-96b9-54f4f4939900 nw_ace_uuid = 874ab189-0d13-4dcd-a303-2a40c902c24e drop_reason = 0 ] vm = 26245d2c-cb76-448b-9ad0-5099d521e2e1 other_vrouter_ip = 10.204.216.69 underlay_proto = 2 ], ] ] ], ] ] ],

[ vmi = default-domain:admin:aa208e72-691c-4ccd-b725-459aee872957 vn = default-domain:admin:vn2 security_policy_rule = 00000000-0000-0000-0000-000000000001 remote_vn = default-domain:admin:vn1 is_client_session = 0 is_si = 0 remote_prefix = 1.1.1.4/32 vrouter_ip = 10.204.217.102 sess_agg_info= [ [ [ ip = 2.2.2.4 port = 4902 protocol = 1 ] [ sampled_forward_bytes = 98 sampled_forward_pkts = 1 sampled_reverse_bytes = 102 sampled_reverse_pkts = 1 logged_forward_bytes = 98 logged_forward_pkts = 1 logged_reverse_bytes = 102 logged_reverse_pkts = 1 sessionMap= [ [ [ ip = 1.1.1.4 port = 0 ] [ forward_flow_info= [ sampled_bytes = 98 sampled_pkts = 1 logged_bytes = 98 logged_pkts = 1 flow_uuid = c6629d4b-afda-4ddc-839c-84a63acb5c8c tcp_flags = 0 setup_time = 1509428625135653 teardown_time = 0 action = pass|VRF assign sg_rule_uuid = 32e756cf-53ef-4233-80cf-681c0f2ad628 nw_ace_uuid = 874ab189-0d13-4dcd-a303-2a40c902c24e underlay_source_port = 55945 drop_reason = 0 ] reverse_flow_info= [ sampled_bytes = 102 sampled_pkts = 1 logged_bytes = 102 logged_pkts = 1 flow_uuid = 4128a820-3429-49ca-a1ea-f3d90f6fd354 tcp_flags = 0 setup_time = 1509428625135653 teardown_time = 0 action = pass|VRF assign sg_rule_uuid = f5f606ed-21c5-40b4-96b9-54f4f4939900 nw_ace_uuid = 874ab189-0d13-4dcd-a303-2a40c902c24e underlay_source_port = 49826 drop_reason = 0 ] vm = b702ea3b-b110-4fc7-ac02-8851e87d1afe other_vrouter_ip = 10.204.217.102 underlay_proto = 0 ], ] ] ], ] ] ], ] ]

Also note that, vmi 9bb6fad1-1138-4214-aeec-1b1f4dac6266 is 1.1.1.5(vn1) but vn mentioned in the session is default-domain:admin:vn2 and remote vn is default-domain:admin:vn1.

Revision history for this message
Ashok Singh (ashoksr) wrote :

Two sessions are seen, but each session is on different VMI. As the traffic is passing through these VMIs, the sessions are seen. Having two sessions is not an issue.

However, the session on left interface has incorrect VN information. This happens because flows are not getting created in the forward path for left interface. Instead flows are getting created for reverse path. Reason for flows not getting created in forward path is, Vlan NH always has policy disabled. The fix is to ensure that Vlan NH inherits policy status from its associated interface.

Hari Prasad Killi (haripk)
tags: added: releasenote
Ashok Singh (ashoksr)
summary: - [R4.1-24]: session logging: 2 sessions logged for service instance case
+ [R4.1-24]: session logging: Incorrect VN information seen for sessions
+ on transparent SI VMIs
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/38093
Submitter: Ashok Singh (<email address hidden>)

Revision history for this message
Ashok Singh (ashoksr) wrote :

Investigation required from vrouter team.
For tunneled packets coming on physical-interface and destined to vlan-tagged interface (MPLS label of tunneled packet points to VlanNH), vrouter sends flow-setup message to agent with interface’s NH instead of VlanNH. Vrouter team to get back on whether the flow-setup message can be sent with VlanNH

Revision history for this message
Sivakumar Ganapathy (hotlava51) wrote :

Not deemed critical enough for 5.0.2 based on review with Sudheendra. Moving it to 5.1.0.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.