disable policy knob requires multihop config on VM (TTL=1 dropped)
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Juniper Openstack | Status tracked in Trunk | |||||
R3.2 |
New
|
High
|
N Anand Rao | |||
R4.1 |
New
|
Medium
|
N Anand Rao | |||
R5.0 |
Won't Fix
|
High
|
N Anand Rao | |||
Trunk |
Fix Committed
|
High
|
N Anand Rao |
Bug Description
when testing Customer VNF in vanilla bgpaas peering configuration (from VMI to VROUTER IP in eBGP mode), peering were broken/not re-established when activating the disable-policy knob.
The trace below is self explanatory:
- SYN from VM (26.1.23.10) sent to vrouter (26.1.23.254) with TTL=1 (eBGP single hop)
- ICMP TTL exceeded generated with HOST MAC (not vrouter MAC) toward VM
11:20:17.733109 02:4d:10:bf:86:3b > 00:00:5e:00:01:00, ethertype IPv4 (0x0800), length 78: (tos 0xc0, ttl 1, id 30612, offset 0, flags [none], proto TCP (6), length 64)
26.
11:20:17.733242 40:5c:fd:14:c0:5e > 02:4d:10:bf:86:3b, ethertype IPv4 (0x0800), length 106: (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto ICMP (1), length 92)
26.1.23.254 > 26.1.23.10: ICMP time exceeded in-transit, length 72
In other words changing from flow based forwarding to packet based forwarding changes the control of TTL checks.
This is a bug, as both vrouter/VM are in a same subnet and should be fixed as it is quite misleading.
Workaround for now is to configure multihop in the VNF.
information type: | Proprietary → Public |
tags: | added: config |
tags: | added: releaseblocker |
tags: | added: inmarsat |
When policy is enabled, the relevant flow entry is updated with an updated TTL (when the original packet has ttl = 1). When policy is disabled, this action is not taken resulting in ttl becoming zero due to vrouter action and an ICMP being sent. Need to update vrouter to handle this differently (update TTL or not decrement TTL).