SYN packet is not tracked by netfilter_conntrack and dropped when the RST returns

Solution Verified - Updated -

Issue

  • When placing the VM's on the same compute node. the SYN packet is not tracked by the netfilter_conntrack and when the RST packet returns it is not related to any existing flow and hence dropped.

  • Steps to Reproduce:

    • deployed two intances with default sec group.
    • Flushed iptables on both instances.
    • From source vm: addr:192.168.22.4
[cloud-user@host00 ~]$ telnet  192.168.22.3 56699
Trying 192.168.22.3...

[cloud-user@host00 ~]$ sudo tcpdump -vv -i eth0 |grep -i 56699
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
====
    host-192-168-22-4.openstacklocal.36709 > host-192-168-22-3.openstacklocal.56699: Flags [S], cksum 0x00c7 (correct), seq 3646210918, win 14600, options [mss 1460,sackOK,TS val 692727282 ecr 0,nop,wscale 7], length 0
    host-192-168-22-4.openstacklocal.36709 > host-192-168-22-3.openstacklocal.56699: Flags [S], cksum 0xfcde (correct), seq 3646210918, win 14600, options [mss 1460,sackOK,TS val 692728282 ecr 0,nop,wscale 7], length 0
    host-192-168-22-4.openstacklocal.36709 > host-192-168-22-3.openstacklocal.56699: Flags [S], cksum 0xf50e (correct), seq 3646210918, win 14600, options [mss 1460,sackOK,TS val 692730282 ecr 0,nop,wscale 7], length 0
    host-192-168-22-4.openstacklocal.36709 > host-192-168-22-3.openstacklocal.56699: Flags [S], cksum 0xe56e (correct), seq 3646210918, win 14600, options [mss 1460,sackOK,TS val 692734282 ecr 0,nop,wscale 7], length 0
    host-192-168-22-4.openstacklocal.36709 > host-192-168-22-3.openstacklocal.56699: Flags [S], cksum 0xc62e (correct), seq 3646210918, win 14600, options [mss 1460,sackOK,TS val 692742282 ecr 0,nop,wscale 7], length 0

====


on destination instance:

[cloud-user@host12 ~]$ sudo tcpdump -v -i eth0 |grep -i 56699
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
=====
    host-192-168-22-4.openstacklocal.36709 > host-192-168-22-3.openstacklocal.56699: Flags [S], cksum 0x00c7 (correct), seq 3646210918, win 14600, options [mss 1460,sackOK,TS val 692727282 ecr 0,nop,wscale 7], length 0
    host-192-168-22-3.openstacklocal.56699 > host-192-168-22-4.openstacklocal.36709: Flags [R.], cksum 0xf8da (correct), seq 0, ack 3646210919, win 0, length 0
    host-192-168-22-4.openstacklocal.36709 > host-192-168-22-3.openstacklocal.56699: Flags [S], cksum 0xfcde (correct), seq 3646210918, win 14600, options [mss 1460,sackOK,TS val 692728282 ecr 0,nop,wscale 7], length 0
    host-192-168-22-3.openstacklocal.56699 > host-192-168-22-4.openstacklocal.36709: Flags [R.], cksum 0xf8da (correct), seq 0, ack 1, win 0, length 0
    host-192-168-22-4.openstacklocal.36709 > host-192-168-22-3.openstacklocal.56699: Flags [S], cksum 0xf50e (correct), seq 3646210918, win 14600, options [mss 1460,sackOK,TS val 692730282 ecr 0,nop,wscale 7], length 0
    host-192-168-22-3.openstacklocal.56699 > host-192-168-22-4.openstacklocal.36709: Flags [R.], cksum 0xf8da (correct), seq 0, ack 1, win 0, length 0
    host-192-168-22-4.openstacklocal.36709 > host-192-168-22-3.openstacklocal.56699: Flags [S], cksum 0xe56e (correct), seq 3646210918, win 14600, options [mss 1460,sackOK,TS val 692734282 ecr 0,nop,wscale 7], length 0


From hypervisor:

[root@dell-per210-4 ~]# iptables -nvL|grep -i 'Chain neutron-openvswi-i6272f76d-d' -A 2 
Chain neutron-openvswi-i6272f76d-d (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    5   200 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID

Environment

  • Red Hat Open Stack

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content