Guest

Preview Tool

Cisco Bug: CSCvs79525 - OSPD Unified Plugin: Instance cannot reach its floating ip address.

Last Modified

Jun 17, 2020

Products (1)

  • Cisco Application Policy Infrastructure Controller (APIC)

Known Affected Releases

4.2(1a) 4.2(4.17a)

Description (partial)

Symptom:
An instance provisioned with a floating IP address will not be able to reach its floating IP address directly from the instance.

The issue arises only for traffic that is looped back, such as a virtual machine to its FIP. This traffic never leaves a br-fabric and is looped back. The root cause is to get a reply from itself, the traffic is mirrored in the br-fabric, making it appear to the virtual machine that it is a request from the FIP to the virtual machine. The response from the virtual machine to the FIP is again mirrored like a response from the FIP to the virtual machine. This should match against the original request.

This used to work before Conntrack was made to be truly reflexive because the response packets were not being checked properly. After the packets began to be checked correctly in the 4.2 plugin, this issue occurred because Conntrack creates 2 flows with the exact same 5 tuple. This messes up the Conntrack state and returns the wrong flags.

The fix is to bypass table 2 and 3 of Conntrack, and security groups for loopback traffic that should never show up on the wire.

Conditions:
- OSPD 13, Unified plugin 4.2.1.
- instance provisioned with a floating ip address.
- instance trying to access itself through its floating ip address
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.