Neutron DVR(SNAT) steals FIP traffic
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Undecided
|
Brian Haley |
Bug Description
Setup:
We have 40+ compute nodes, all running neutron-l3-agent in DVR mode. We also have 1 node running neutron-l3-agent in DVR_SNAT mode. L2 population is happening with VXFLD (https:/
Steps to reproduce:
After following the setup above, we noticed that traffic going to/from a floating IP was randomly going out the SNAT namespace (and thus getting connection resets). Further investigation showed this was related/correlated to traffic load, meaning, the more traffic, the more likely the return path would go out the SNAT namespace instead of back out the FIP namespace. After some searching, we found that conntrack was marking in-transit connections as "new" connections (losing their state, essentially) and thus the SNAT namespace would see this as new traffic and setup a new return path.
Changed in neutron: | |
assignee: | nobody → David-wahlstrom (david-wahlstrom) |
status: | New → In Progress |
Changed in neutron: | |
assignee: | David-wahlstrom (david-wahlstrom) → Brian Haley (brian-haley) |
tags: | added: neutron-proactive-backport-potential |
tags: | added: neutron-easy-proactive-backport-potential |
tags: | removed: neutron-easy-proactive-backport-potential neutron-proactive-backport-potential |
To add more to this, what we believe is happening is that under heavy load we see single packets occasionally flood all ports of a bridge (as would also happen under normal circumstances should an L3 adjacency age out). When that single packet floods, it hits the vxlan interface and is eventually forwarded on to the SNAT server where it is happily forwarded along to the client endpoint. When the client receives this packet (which is sourced from the backup SNAT IP address, rather than the floating IP which the client has been talking to all along), it sends a TCP RST packet, effectively terminating the in-progress TCP flow. Neutron uses connection tracking to drop INVALID packets, but because of the default conntrack behavior of automatically creating connection tracking entries for anything that looks like an active connection, those rules are nearly always bypassed.