Flow rule "Drop (No L2 policy match)"

book

Article ID: 168123

calendar_today

Updated On:

Products

XOS

Issue/Introduction

This Article shows that under certain circumstances the "normal" traffic can be seen as dropped by NPM.Apparently normal, legitimate traffic flows between a range of sources and destinations fail. The flow table indicates that they are DROPped for the following reason:

Drop (No L2 policy match)

It may also be observed that a test ping will work intermittently, and a TCP sessions will manage a SYN/ACK.

Cause

The issue can be caused by a scenario where due to some misbehaviour in the adjacent network, packets are presented to the Crossbeam on more than one interface. This will result in the NPM correctly detecting anomalous behaviour and blocking the flow. However the manner in which it communicates this to the operator is far from obvious.

Such a scenario will result in the DROP rule (seen via a "show flow active") being installed with reason "No L2 policy match".

Additionally, the drop rule will typically time out quickly, and then the next presentation of the anomalous packets will result in its reinstatement. This explains the intermittent pattern seen, where one ping will work, then several fail, then one works again, etc.

Resolution

The only method to determine beyond doubt that packets are being presented at multiple interfaces is to trace traffic at the NPM level and observe the packets. Note that APM tracing will not suffice (the packets do not make it as far as the APM, due to being dropped).

Workaround

N/A