Openstack APIC

Modification of ICMP in/out rule along with bi rule cases traffic to stop

Bug #1502252 reported by Biju Varghese on 2015-10-02

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Openstack APIC	Incomplete	Undecided	puppet-py

Bug Description

Hitting an issue when trying to update a policy rule set with new ICMP rules. And post this traffic does not go through.

The policy rule set has an ICMP policy rule applied in IN and OUT direction. Now I’m adding another ICMP bi direction rule to the same policy rule set.
Post this I see that the traffic stops. If I remove the bi direction rule or both the in/out direction rule from the policy rule set, traffic goes through again.

When the rule ICMP IN and OUT is set, I see the following policies getting incrememnted on the leaf side.

sg1-leaf-2# sh system internal policy-mgr stats | grep -i 2392065 | grep -i 5476 | grep -i f-5 | grep -v "Ingress: 0"
Rule (4348) DN (sys/actrl/scope-2392065/rule-2392065-s-21-d-5476-f-5) Ingress: 170, Egress: 0
Rule (4444) DN (sys/actrl/scope-2392065/rule-2392065-s-5476-d-21-f-5) Ingress: 33, Egress: 0

After adding the BI policy, one of the rules goes missing and I don’t see the traffic hitting the policy.
sg1-leaf-2# sh system internal policy-mgr stats | grep -i 2392065 | grep -i 5476 | grep -i f-5 | grep -v "Ingress: 0"
Rule (4348) DN (sys/actrl/scope-2392065/rule-2392065-s-21-d-5476-f-5) Ingress: 196, Egress: 0

Looks like the following policy is hit. Confirmed based on the number of packets sent.

sg1-leaf-2# sh system internal policy-mgr stats | grep -i implicit | grep -v "Ingress: 0"
Rule (4098) DN (sys/actrl/scope-2097152/rule-2097152-s-any-d-any-f-implicit) Ingress: 8, Egress: 0
Rule (4099) DN (sys/actrl/scope-2097152/rule-2097152-s-any-d-16390-f-implicit) Ingress: 2, Egress: 0
Rule (4110) DN (sys/actrl/scope-2097152/rule-2097152-s-any-d-32771-f-implicit) Ingress: 2, Egress: 0
Rule (4121) DN (sys/actrl/scope-2097152/rule-2097152-s-any-d-49154-f-implicit) Ingress: 2, Egress: 0
Rule (4132) DN (sys/actrl/scope-2097152/rule-2097152-s-any-d-16388-f-implicit) Ingress: 2, Egress: 0
Rule (4143) DN (sys/actrl/scope-2686977/rule-2686977-s-any-d-any-f-implicit) Ingress: 2, Egress: 0
Rule (4144) DN (sys/actrl/scope-2686977/rule-2686977-s-any-d-32773-f-implicit) Ingress: 2, Egress: 0
Rule (4155) DN (sys/actrl/scope-2686977/rule-2686977-s-any-d-32775-f-implicit) Ingress: 2, Egress: 0
Rule (4166) DN (sys/actrl/scope-2686977/rule-2686977-s-any-d-16388-f-implicit) Ingress: 2, Egress: 0
Rule (4177) DN (sys/actrl/scope-2686977/rule-2686977-s-any-d-16389-f-implicit) Ingress: 1, Egress: 0
Rule (4202) DN (sys/actrl/scope-2392065/rule-2392065-s-any-d-any-f-implicit) Ingress: 2245, Egress: 0 => This one.

The filter are set correctly in the APIC.

Jishnu's update:
Root-Cause: On update the direction of the policy-rule is getting set to ‘2’(means: only OUT direction) for all rules associated to the contract. That’s what is received by the opflex-agent on the comp-node from the opflex-proxy in the leaf. Hence traffic loss.

Tags:

Revision history for this message

Ivar Lazzaro (mmaleckk) wrote on 2015-10-14:

Jishnu,

Is this an opflex agent or proxy issue? can you follow up on this?

Changed in openstack-apic:
status:	New → Incomplete
assignee:	nobody → puppet-py (jbanerje)

Revision history for this message

Thomas Flynn (tom-flynn) wrote on 2015-11-03:

This was a proxy issue. It has been fixed in build 1.1(4c)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.