Symptoms:
- After SR failover, RSTs may be sent from edge gateway firewall for TCP packet destined to some connections.
- Any connections that are disconnected were established immediately before the failover.
- Before failover, there are no entries for those connections on the standby gateway firewall side.
- In this situation, if a subsequent matching rule for the connection exists, the packet will be evaluated by the rule.
- If the rule has reject action, RST will returned by the rule when packet is forwarded to the new active edge.
Connection entries on gateway firewall can be output by the following root command on edge.
/usr/local/bin/edge-appctl -t /var/run/vmware/edge/dpd.ctl fw/show <ifuuid> connections
For example:
An established TCP connection entry (state 4:4) with uplink (65eacfa2144445fa:b54bf537bf10fef8 in this example) exists on the active edge just before the failover.
0x0c0000016c000253 af 2 ethertype 0x0000 proto tcp 172.19.81.31:53481 -> 172.19.232.72:1541 (172.19.232.72:1541) dir 1 57e3 5c96 5c 47 state 4:4 f-5060 n-0 flg:200000040303 if:65eacfa2144445fa:b54bf537bf10fef8 age:0:586 <<--- !!!!!
0x0c0000016c000254 af 2 ethertype 0x0000 proto tcp 172.19.81.31:53481 (172.19.81.31:53481) -> 172.19.232.72:1541 dir 2 57e3 5c96 5c 47 state 4:4 f-5060 n-0 flg:200000040303 if:19832f00312548e1:8dce9a2815bd1189 age:0:586
0x0c0000016c000253 af 2 ethertype 0x0000 proto tcp 172.19.81.31:53481 -> 172.19.232.72:1541 (172.19.232.72:1541) dir 1 5817 5c96 5d 47 state 4:4 f-5060 n-0 flg:200000040303 if:65eacfa2144445fa:b54bf537bf10fef8 age:0:586 <<--- !!!!!
0x0c0000016c000254 af 2 ethertype 0x0000 proto tcp 172.19.81.31:53481 (172.19.81.31:53481) -> 172.19.232.72:1541 dir 2 5817 5c96 5d 47 state 4:4 f-5060 n-0 flg:200000040303 if:19832f00312548e1:8dce9a2815bd1189 age:0:586
However, the entry is not yet synchronized to the standby side.
0x0c0000016c000254 af 2 ethertype 0x0000 proto tcp 172.19.81.31:53481 (172.19.81.31:53481) -> 172.19.232.72:1541 dir 2 0 0 0 0 state 4:4 f-5060 n-0 flg:e10000040000 if:19832f00312548e1:8dce9a2815bd1189 age:1:181
0x0c0000016c000254 af 2 ethertype 0x0000 proto tcp 172.19.81.31:53481 (172.19.81.31:53481) -> 172.19.232.72:1541 dir 2 0 0 0 0 state 4:4 f-5060 n-0 flg:e10000040000 if:19832f00312548e1:8dce9a2815bd1189 age:1:181
In this situation, the packet will not be evaluated by the rule that was expected to be hit, but instead evaluated by the default rule and may rejected.