cloudstack icon indicating copy to clipboard operation
cloudstack copied to clipboard

Published 20 hours ago verified publisher icon apache

VR reply packets - interface mismatch

Open nvazquez opened this issue 2 years ago • 2 comments

ISSUE TYPE
  • Bug Report
COMPONENT NAME
VR
CLOUDSTACK VERSION
4.14.1 and onwards
CONFIGURATION

Advanced networking with at least 2 public ranges Network with one source NAT IP on one range, enable static NAT IP from the other public range

OS / ENVIRONMENT

Tested with Vmware 6.7

SUMMARY

The outgoing traffic for VMs goes from one VR interface when the request is initiated within the VM, however if the request comes from the internet to the static NAT IP, then the reply goes from a different VR interface

STEPS TO REPRODUCE
- Add an additional public range on the physical network for a zone
- Create a network and deploy a VM on it
- Acquire an additional public IP from the new range on the network
- Enable static NAT on the new IP
- Verify a new VR interface has been created
- (if necessary enable egress rules)
- From within the VM, ping a server outside the network -> Verify the traffic on the VR goes through one interface (for example with tcpdump)
- From outside the network, ping the VM static NAT IP -> Verify the request on VR arrives to the same interface as the step above but the reply is sent through a different interface
EXPECTED RESULTS
Same interface is used for the outgoing traffic
ACTUAL RESULTS
root@r-18-VM:~# tcpdump -i eth4 icmp -n
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth4, link-type EN10MB (Ethernet), snapshot length 262144 bytes
16:23:45.383531 IP 10.0.3.251 > 10.0.80.37: ICMP echo request, id 9332, seq 72, length 64
16:23:46.383363 IP 10.0.3.251 > 10.0.80.37: ICMP echo request, id 9332, seq 73, length 64
16:23:47.394501 IP 10.0.3.251 > 10.0.80.37: ICMP echo request, id 9332, seq 74, length 64
16:23:48.389304 IP 10.0.3.251 > 10.0.80.37: ICMP echo request, id 9332, seq 75, length 64
16:23:49.394640 IP 10.0.3.251 > 10.0.80.37: ICMP echo request, id 9332, seq 76, length 64

root@r-18-VM:~# tcpdump -i eth2 icmp -n
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), snapshot length 262144 bytes
16:23:53.407090 IP 10.0.80.37 > 10.0.3.251: ICMP echo reply, id 9332, seq 80, length 64
16:23:54.406632 IP 10.0.80.37 > 10.0.3.251: ICMP echo reply, id 9332, seq 81, length 64
16:23:55.414142 IP 10.0.80.37 > 10.0.3.251: ICMP echo reply, id 9332, seq 82, length 64
16:23:56.411103 IP 10.0.80.37 > 10.0.3.251: ICMP echo reply, id 9332, seq 83, length 64
16:23:57.412352 IP 10.0.80.37 > 10.0.3.251: ICMP echo reply, id 9332, seq 84, length 64

nvazquez avatar Aug 05 '22 17:08 nvazquez

@weizhouapache did we fix this, or is this a different issue?

DaanHoogland avatar Aug 08 '22 08:08 DaanHoogland

@DaanHoogland it is not fixed, I was able to reproduce it on 4.17.0

nvazquez avatar Aug 08 '22 10:08 nvazquez