To-analyzer packets dropped due to analyzer port not bound to any SG
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Juniper Openstack |
Invalid
|
High
|
Sachin Bansal | ||
| R3.0 |
Invalid
|
High
|
Sachin Bansal | ||
Bug Description
R3.0.2.0 Build 26
In UI, Monitor> Debug,
Created a analyzer ana3 with VN net1 (Specified net1 is both "Virtual Network" and "Associated Networks" fields)
Did not create any rule.
On another port 10.1.1.12 on the same VN, added this analyzer as the mirror destination.
We see that the port of the analyzer VM 10.1.1.99 is not associated with any SG. Packets desitned to the analyzer are getting dropped
root@nodei27:~# neutron port-list |grep 10.1.1.99
neut| ffb72d8a-
root@nodei27:~# neutron port-show ffb72d8a-
+------
| Field | Value |
+------
| admin_state_up | True |
| binding:host_id | nodel9 |
| binding:vif_details | {"port_filter": true} |
| binding:vif_type | vrouter |
| binding:vnic_type | normal |
| device_id | 9af8ba71-
| device_owner | compute:None |
| fixed_ips | {"subnet_id": "d467bf8f-
| id | ffb72d8a-
| mac_address | 02:17:8a:f4:7f:3b |
| name | default-
| network_id | bff6fdec-
| security_groups | |
| status | ACTIVE |
| tenant_id | 1b18515d8f874b0
+------
root@nodei27:~#
2380732<=>1097272 10.1.1.6:8097 17 (1)
(Gen: 45, K(nh):72, Action:D(Unknown), Flags:, S(nh):72, Stats:0/0, SPort 62260)
2443136<=>1416641 10.1.1.12:8097 17 (1)
(Gen: 21, K(nh):87, Action:D(Unknown), Flags:, S(nh):87, Stats:0/0, SPort 56895)
| Sachin Bansal (sbansal) wrote | #1 |
| Changed in juniperopenstack: | |
| status: | New → Incomplete |
| Vedamurthy Joshi (vedujoshi) wrote | #2 |
| Changed in juniperopenstack: | |
| status: | Incomplete → Invalid |
If there is no SG attached to a port, it will allow communication from everything. Can you check the SGs using VNC API to make sure that is the case. Also, how did you determine that the packets were dropped because of SG? The flow output shows Action:D(Unknown).