Policy 7 is set for port 12 to port 11, but some packets through port 10 and port 9 are displayed referred to policy 7.
Is this a bug or missed setting?
Can you check what should I do to solve this problem?
[ul]
---log
date=2020-10-23 time=16:51:18 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="TPVDOM" eventtime=1603439478704961688 tz="+0900" srcip=10.13.101.116 srcport=60539 srcintf="port10" srcintfrole="undefined" dstip=10.1.200.42 dstport=80 dstintf="port9" dstintfrole="undefined" sessionid=153969815 proto=6 action="client-rst" policyid=7 policytype="policy" poluuid="6c3038e0-89ff-51e7-4930-cd8d2ca52ef8" service="HTTP" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=182 sentbyte=580 rcvdbyte=178 sentpkt=11 appcat="unscanned" mastersrcmac="50:06:ab:bc:de:e7" srcmac="50:06:ab:bc:de:e7" srcserver=0 masterdstmac="6c:b2:ae:01:ea:c1" dstmac="6c:b2:ae:01:ea:c1" dstserver=0
date=2020-10-23 time=16:51:18 logid="0000000011" type="traffic" subtype="forward" level="warning" vd="TPVDOM" eventtime=1603439478704960735 tz="+0900" srcip=10.13.101.116 srcport=60539 srcintf="port12" srcintfrole="undefined" dstip=10.1.200.42 dstport=80 dstintf="port11" dstintfrole="undefined" sessionid=153969815 proto=6 action="ip-conn" policyid=7 policytype="policy" poluuid="6c3038e0-89ff-51e7-4930-cd8d2ca52ef8" service="HTTP" dstcountry="Reserved" srccountry="Reserved" appcat="unscanned" crscore=5 craction=262144 crlevel="low" mastersrcmac="50:06:ab:bc:de:e7" srcmac="50:06:ab:bc:de:e7" srcserver=0 masterdstmac="6c:b2:ae:01:ea:c1" dstmac="6c:b2:ae:01:ea:c1" dstserver=0
---policy
edit 7
set name "OSPF"
set uuid 6c3038e0-89ff-51e7-4930-cd8d2ca52ef8
set srcintf "port12"
set dstintf "port11"
set srcaddr "OSPFNei_Group" // in this group, no ip "10.13.101.116" in the log
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
---addrgrp
edit "OSPFNeiGroup"
set uuid 42b8c808-7dc3-51e7-f125-7757670d4b87
set member "10.3.241.0/30" "10.3.241.4/30" "10.3.244.0/30" "10.3.244.4/30"
---ha
config system ha
set group-id 14
set hbdev "port31" 100 "port32" 50
set session-sync-dev "port29" "port30"
set session-pickup enable
set session-pickup-connectionless enable
set session-pickup-expectation enable
set session-pickup-nat enable
set standalone-config-sync enable
set override disable
end
---debug flow on Master device(asymmetric packet on HA configure)
/* I captured this debug flow about 30 minutes, this is the only flow that uses port 60539 that matches the log.
I assume that the last ack packet is allowed from port 11 to port12, so that packet is logged policy7.*/
2020-10-23 16:48:15 id=20085 traceid=468495 func=printpktdetail line=5607 msg="vd-TPVDOM:0 received a packet(proto=6, 10.13.101.116:60539->10.1.200.42:80) from port10. flag , seq 4259137123, ack 0, win 65535"
2020-10-23 16:48:15 id=20085 traceid=468495 func=initipsessioncommon line=5777 msg="allocate a new session-092d6497"
2020-10-23 16:48:15 id=20085 traceid=468495 func=ipropednatcheck line=4951 msg="in-[port10], out-[]"
2020-10-23 16:48:15 id=20085 traceid=468495 func=ipropednatcheck line=4964 msg="result: skbflags-06000000, vid-0, ret-no-match, act-accept, flag-00000000"
2020-10-23 16:48:15 id=20085 traceid=468495 func=ipropefwdcheck line=731 msg="in-[port10], out-[port9], skbflags-06000000, vid-0, appid: 0, urlcatid: 0"
2020-10-23 16:48:15 id=20085 traceid=468495 func=ipropetreecheck line=554 msg="gnum-100004, use addr/intf hash, len=10"
2020-10-23 16:48:15 id=20085 traceid=468495 func=ipropecheckonepolicy line=1901 msg="checked gnum-100004 policy-3, ret-no-match, act-accept"
2020-10-23 16:48:15 id=20085 traceid=468495 func=ipropecheckonepolicy line=1901 msg="checked gnum-100004 policy-78, ret-no-match, act-accept"
2020-10-23 16:48:15 id=20085 traceid=468495 func=ipropecheckonepolicy line=1901 msg="checked gnum-100004 policy-256, ret-no-match, act-accept"
2020-10-23 16:48:15 id=20085 traceid=468495 func=ipropecheckonepolicy line=1901 msg="checked gnum-100004 policy-276, ret-matched, act-accept"
2020-10-23 16:48:15 id=20085 traceid=468495 func=ipropeuseridentitycheck line=1709 msg="ret-matched"
2020-10-23 16:48:15 id=20085 traceid=468495 func=ipropecheckonepolicy line=2120 msg="policy-276 is matched, act-accept"
2020-10-23 16:48:15 id=20085 traceid=468495 func=ipropefwdauthcheck line=786 msg="after ipropecaptivecheck(): iscaptive-0, ret-matched, act-accept, idx-276"
2020-10-23 16:48:15 id=20085 traceid=468495 func=brfwforwardhandler line=572 msg="Allowed by Policy-276:"
2020-10-23 16:48:15 id=20085 traceid=468495 func=ifqueuepushxmit line=393 msg="send out via dev-port9, dst-mac-6c:b2:ae:01:ea:c1"
2020-10-23 16:48:15 id=20085 traceid=468497 func=printpktdetail line=5607 msg="vd-TPVDOM:0 received a packet(proto=6, 10.13.101.116:60539->10.1.200.42:80) from port10. flag [.], seq 4259137124, ack 3213845332, win 1024" 2020-10-23 16:48:15 id=20085 traceid=468497 func=resolveiptuplefast line=5687 msg="Find an existing session, id-092d6497, original direction" 2020-10-23 16:48:15 id=20085 traceid=468497 func=npuhandlesession44 line=1160 msg="Trying to offloading session from port10 to port9, skb.npuflag=00000400 ses.state=04018200 ses.npustate=0x00000000"
2020-10-23 16:48:15 id=20085 traceid=468497 func=ipsessioninstallnpusession line=344 msg="npu session installation succeeded"
2020-10-23 16:48:15 id=20085 traceid=468497 func=brfwforwarddirtyhandler line=289 msg="state=04018200, state2=00000000, npustate=00000400" 2020-10-23 16:48:15 id=20085 traceid=468497 func=ifqueuepushxmit line=393 msg="send out via dev-port9, dst-mac-6c:b2:ae:01:ea:c1"
2020-10-23 16:48:16 id=20085 traceid=468512 func=printpktdetail line=5607 msg="vd-TPVDOM:0 received a packet(proto=6, 10.1.200.42:80->10.13.101.116:60539) from port11. flag [.], seq 3213845470, ack 4259139002, win 129" 2020-10-23 16:48:16 id=20085 traceid=468512 func=resolveiptuplefast line=5687 msg="Find an existing session, id-092d6497, reply direction"
2020-10-23 16:48:16 id=20085 traceid=468512 func=brfwforwarddirtyhandler line=272 msg="auxiliary ses proto=6 dev=37->36 10.13.101.116/60539=>10.1.200.42/80" 2020-10-23 16:48:16 id=20085 traceid=468512 func=npuhandlesession44 line=1160 msg="Trying to offloading session from port11 to port12, skb.npuflag=00000400 ses.state=04018200 ses.npustate=0x00000000"
2020-10-23 16:48:16 id=20085 traceid=468512 func=ipsessioninstallnpusession line=344 msg="npu session installation succeeded"
2020-10-23 16:48:16 id=20085 traceid=468512 func=brfwforwarddirtyhandler line=289 msg="state=04018200, state2=00000000, npustate=00000800"
2020-10-23 16:48:16 id=20085 traceid=468512 func=_ifqueuepushxmit line=393 msg="send out via dev-port12, dst-mac-50:06:ab:f5:6d:67"
+note
And below info is not the same session as the above debug flow, but the session in which the reflect info is checked refers to policy 7 and is attached for reference.
session info: proto=6 protostate=01 duration=334 expire=3537 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 avidx=0 use=5 origin-shaper= reply-shaper= peripshaper= classid=0 haid=0 policydir=0 tunnel=/ vlancos=0/0 state=log maydirty br npu f00 f02 synses statistic(bytes/packets/allowerr): org=112/2/1 reply=88/2/1 tuples=2 tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0 orgin->sink: org pre->post, reply pre->post dev=37->38/36->39 gwy=0.0.0.0/0.0.0.0 hook=pre dir=org act=noop 10.13.101.156:52874->10.1.200.42:80(0.0.0.0:0) hook=post dir=reply act=noop 10.1.200.42:80->10.13.101.156:52874(0.0.0.0:0) pos/(before,after) 0/(0,0), 0/(0,0) misc=0 policyid=7 authinfo=0 chkclientinfo=0 vd=3 serial=091cff81 tos=ff/ff applist=0 app=0 urlcat=0 rpdblinkid = 00000000 ngfwid=n/a ddtype=0 ddmode=0 npustate=00000000 npu info: flag=0x00/0x00, offload=0/0, ipsoffload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000 vlifid=0/0, vtagin=0x0000/0x0000 innpu=0/0, outnpu=0/0, fwden=0/0, qid=0/0 noofldreason: reflect info 0: dev=37->36/36->37 npustate=0x000800 npu info: flag=0x00/0x81, offload=0/8, ipsoffload=0/0, epid=0/174, ipid=0/173, vlan=0x0000/0x0000 vlifid=0/173, vtagin=0x0000/0x0000 innpu=0/2, outnpu=0/2, fwd_en=0/0, qid=0/7 total reflect session num: 1
