Juniper Openstack

Gateway_less_Fwd: When IP-Fabric VN is configured as provider network over vn1 and vn2, with out policy routes of other compute node VMs getting leaked between vn1 and vn2

Bug #1712245 reported by Chandra Sekhar Reddy Mallam on 2017-08-22

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Juniper Openstack	Status tracked in Trunk
	Trunk	Fix Committed	High	Hari Prasad Killi	Juniper Openstack r4.1.0.0-fcs "r4.1"

Bug Description

When IP-Fabric VN is configured as provider network over vn1 and vn2, with out policy routes of other compute node VMs getting leaked between vns.

Able to ping VM1 (vn1) from one compute to VM2(vn2) in another compute.

Build
------
R4.1.0.0 Build 23 Ubuntu 14.04 Mitaka

Topology
—————
Control/config/analytics node :nodei15
Compute nodes : nodek11, nodec23 and nodeb3

Steps
———--
1. Create a vn1 (10.10.10.0/24) and vn2 (20.20.20.0/24) and configure IP Fabric network as provider network over both vn1 and vn2
2. Now, launch couple of VMs on both the VNs across compute nodes. (say VM1 (compute1) : 10.10.10.3/24, VM2 (compute1): 20.20.20.3/24, VM3 (compute2) : 10.10.10.4/24, VM4 (compute2): 20.20.20.4/24 )
3. Now, ping VM4 from VM1 is successful with out any policy between vns. Similar case on another compute also.

Below is the flow:

root@nodek11:~# flow --match 20.20.20.4
Flow table(size 80609280, entries 629760)

Entries: Created 59 Added 59 Deleted 72 Changed 76 Processed 59 Used Overflow entries 0
(Created Flows/CPU: 3 3 3 3 3 3 2 9 0 1 0 0 0 0 0 0 4 6 5 3 4 2 5 0 0 0 0 0 0 0 0 0)(oflows 0)

Action:F=Forward, D=Drop N=NAT(S=SNAT, D=DNAT, Ps=SPAT, Pd=DPAT, L=Link Local Port)
Other:K(nh)=Key_Nexthop, S(nh)=RPF_Nexthop
Flags:E=Evicted, Ec=Evict Candidate, N=New Flow, M=Modified Dm=Delete Marked
TCP(r=reverse):S=SYN, F=FIN, R=RST, C=HalfClose, E=Established, D=Dead

Listing flows matching ([20.20.20.4]:*)

    Index Source:Port/Destination:Port Proto(V)
-----------------------------------------------------------------------------------
   126504<=>316740 10.10.10.3:28929 1 (0)
                         20.20.20.4:0
(Gen: 1, K(nh):38, Action:F, Flags:, QOS:-1, S(nh):38, Stats:68/6664,
SPort 65478, TTL 0, Sinfo 8.0.0.0)

316740<=>126504 20.20.20.4:28929 1 (0)
10.10.10.3:0
(Gen: 1, K(nh):38, Action:F, Flags:, QOS:-1, S(nh):14, Stats:68/5712,
SPort 55678, TTL 0, Sinfo 0.0.0.0)

root@nodek11:~#

See original description

Tags:

Chandra Sekhar Reddy Mallam (cmallam) on 2017-08-29

summary:	Gateway_less_Fwd: When IP-Fabric VN is configured as provider network - over vn1 and vn2, ping from VM in vn1 to VM in vn2 fails when both the - VMs are in same compute + over vn1 and vn2, with out policy routes of other compute node VMs + getting leaked between vn1 and vn2
description:	updated
description:	updated

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-09-05: [Review update] master

Review in progress for https://review.opencontrail.org/35262
Submitter: Naveen N (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-09-07: A change has been merged

Reviewed: https://review.opencontrail.org/35262
Committed: http://github.com/Juniper/contrail-controller/commit/7b0507e3b3cb7b1e350125b2bd75b0277efd9db4
Submitter: Zuul (<email address hidden>)
Branch: master

commit 7b0507e3b3cb7b1e350125b2bd75b0277efd9db4
Author: Naveen N <email address hidden>
Date: Tue Sep 5 13:08:09 2017 +0530

* Publish floating-ip route with proper encapsulation

1> Correct dependency manager to take care of forwarding-vrf change
2> Remove route in fabric VRF when forwarding vrf config is deleted
3> Pick VN, SG anf tag list from policy fabric VRF only, if route is
not found in policy fabric VRF, use empty list instead of picking
from default VRF.
Test case for same.
Closes-bug:#1711077
Closes-bug:#1712000
Closes-bug:#1711527
Closes-bug:#1712245

Change-Id: Ibee3d79613a118d2e8838bd07b17ca4bca8df186

Nischal Sheth (nsheth) on 2017-11-18

information type:

Proprietary → Public

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.