Juniper Openstack

traffic with in-network SI getting dropped when analyzer action is applied

Bug #1590701 reported by Vedamurthy Joshi on 2016-06-09

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Juniper Openstack	New	High	Vedamurthy Joshi

Bug Description

R2.21.2 Build 41 Ubuntu 14.04 Juno

vn1-vn3-policy-1 has associated Networks private-vn3 private-vn1 with rule:
pass protocol any network private-vn1 ports any <> network private-vn3 ports any services in-network-si-1 mirror analyzer-1

vn1-vn2-policy-1 has associated Networks private-vn1 private-vn2 with rule:
pass protocol any network private-vn1 ports any <> network private-vn2 ports any services trans-si-1

private-vn1(10.1.1.0/24) is bound to vn1-vn2-policy-1, vn1-vn3-policy-1
private-vn3(30.1.1.0/24) is bound to vn1-vn3-policy-1

ping traffic from 10.1.1.3 to 30.1.1.3 is failing due to "Invalid Source" drops

If i remove the mirror action from vn1-vn3-policy-1, things are fine.

From control-node introspect, Naveen helped me to identify in ifmap that the policy rule for private-vn1<->private-vn3 traffic has only mirror action and no action for SI

http://nodec7:8083/Snh_IFMapTableShowReq?table_name=access-control-list&search_string=

  <acl-rule>
   <match-condition>
    <protocol>any</protocol>
    <src-address>
     <subnet>
      <ip-prefix></ip-prefix>
      <ip-prefix-len>0</ip-prefix-len>
     </subnet>
     <virtual-network>default-domain:admin:private-vn1</virtual-network>
     <security-group></security-group>
     <network-policy></network-policy>
    </src-address>
    <src-port>
     <start-port>-1</start-port>
     <end-port>-1</end-port>
    </src-port>
    <dst-address>
     <subnet>
      <ip-prefix></ip-prefix>
      <ip-prefix-len>0</ip-prefix-len>
     </subnet>
     <virtual-network>default-domain:admin:private-vn3</virtual-network>
     <security-group></security-group>
     <network-policy></network-policy>
    </dst-address>
    <dst-port>
     <start-port>-1</start-port>
     <end-port>-1</end-port>
    </dst-port>
    <ethertype></ethertype>
   </match-condition>
   <action-list>
    <simple-action>pass</simple-action>
    <gateway-name></gateway-name>
    <mirror-to>
     <analyzer-name>default-domain:admin:analyzer-1</analyzer-name>
     <encapsulation></encapsulation>
     <analyzer-ip-address>30.1.1.5</analyzer-ip-address>
     <routing-instance></routing-instance>
     <udp-port>0</udp-port>
    </mirror-to>
    <assign-routing-instance></assign-routing-instance>
   </action-list>
   <rule-uuid>2a85c71b-ec25-4580-8be5-50975e1efe2b</rule-uuid>
  </acl-rule>

env.roledefs = {
    'all': [host1, host2, host3, host4, host5, host6],
    'cfgm': [host1, host2, host3],
    'cfgm': [host1, host2, host3],
    'openstack': [host1],
    'webui': [host2],
    'control': [host1, host2, host3],
    'compute': [host4, host5, host6],
    'collector': [host1, host2, host3],
    'database': [host1, host2, host3],
    'build': [host_build],
}

env.hostnames = {
'all': ['nodec7', 'nodec8', 'nodeg36', 'nodei1', 'nodei2', 'nodei3']
}

Tags:

Sachin Bansal (sbansal) on 2016-08-09

Changed in juniperopenstack:
assignee:	Sachin Bansal (sbansal) → Suresh Balineni (sbalineni)

Sachin Bansal (sbansal) on 2016-12-23

Changed in juniperopenstack:
assignee:	Suresh Balineni (sbalineni) → Sahil Sabharwal (ssabharwal)

Revision history for this message

Sahil Sabharwal (ssabharwal) wrote on 2017-04-07:

I was not able to re-create this issue in my setup. Ping traffic from VN1 to VN2 is succeeding.

Sachin Bansal (sbansal) on 2017-07-17

Changed in juniperopenstack:
assignee:	Sahil Sabharwal (ssabharwal) → Vedamurthy Joshi (vedujoshi)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.