[#NETVIRT-1175] Dynamic SG addition for TCP is taking time to establish connection

[NETVIRT-1175] Dynamic SG addition for TCP is taking time to establish connection Created: 26/Mar/18 Updated: 15/May/18 Resolved: 15/May/18
Status:	Resolved
Project:	netvirt
Component/s:	None
Affects Version/s:	None
Fix Version/s:	None

Type:

Bug

Priority:

Medium

Reporter:

Y Ananth

Assignee:

Unassigned

Resolution:

Won't Do

Votes:

Labels:

None

Remaining Estimate:

Not Specified

Time Spent:

Not Specified

Original Estimate:

Not Specified

Description

We have a three-node neutron-ha cluster.

When adding SG with TCP rule to VM dynamically takes time to establish connection.

Steps to reproduce issue:

openstack network create network_1 --provider-network-type vxlan
openstack subnet create --network network_1 --subnet-range 30.0.0.0/24 l2_subnet_1
Create SG1 without any rules
Create SG2 with ingress and egress tcp rule
openstack server create --image cirros --flavor cirros --nic net-id=network_1 VM1 --security-group SG1
openstack server create --image cirros --flavor cirros --nic net-id=network_1 VM2 --security-group SG1
login to VM1 and start listening (nohup nc -v -l -p 1111 &)
login to VM2 and send data (nc 30.0.0.12 1111) to VM1
On going communication remove SG1 and SG2 to both VM's and send data (takes time to send data)

Comments

Comment by Nishchya Gupta [ 26/Apr/18 ]

Tried the same specified scenario with master distribution and below are my observation.

After moving the vm's from SG1 to SG2.

The very first packet will take 7-8 seconds.
After that subsequent packets transfer is immediate.
These all are conntrack traffic and the very first packet will have to resolve 5 tuple(this cannot be conntroled by ACL)
After that the sebsequent packets has to just do a DB lookup.

As per my obervation the behaviour looks expected.

Please verify the same on master distribution and let us know the behaviour.

Comment by Vinh Nguyen [ 15/May/18 ]

Observed the same behavior as Nishchya. The delay (~10 seconds for me) for the first packet is inherent to conntrack as expected. It doesn't have any relation to dynamic moving security group for the VM

Generated at Wed Feb 07 20:23:25 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.

[NETVIRT-1175] Dynamic SG addition for TCP is taking time to establish connection Created: 26/Mar/18 Updated: 15/May/18 Resolved: 15/May/18