- Download Diff

Summary:

AE-1441 SLB Not Responding to SYN Packets After Traffic Failover with HA SSF Enabled ||AS-20030|| Kokilaben

Review Request #844 — Created May 7, 2025 and submitted May 12, 2025, 7:19 p.m.

Information
Owner:	mmiriam
Repository:	APV10
Branch:	rel_apv_10.7.2
Bugs:	AE-1441
Depends On:
Reviewers
Groups:
People:	pradeep, prajesh, tanya

Description

AE-1441 SLB Not Responding to SYN Packets After Traffic Failover with HA SSF Enabled ||AS-20030|| Kokilaben

Testing Done

Test results of CLI:
ha ssf ?
filter              Setting HA stateful session failover filter

off                 Disable session failover function of virtual service or NAT

on                  Enable session failover function of virtual service or NAT

peer                HA ssf peer ip

timeout             Set SSF session idle timeout
ha ssf filter ?
off                 Disable session failover filter

on                  Enable session failover filter
show run ssf
ha ssf on

ha ssf on nat

ha ssf timeout 300

ha ssf on "VS"

ha ssf on "VS1"

ha ssf peer 10.10.10.11

ha ssf filter off
verified "write mem"

Issues

Description	From	Last Updated
what is this function for? Seems like we are filtring packets based on dest IP.	prajesh	May 8, 2025, 7:15 p.m.
if we are not dropping then dont increment this counter.	prajesh	May 8, 2025, 7:15 p.m.
you are hitting this path . Sf_fip_drop is true . the packet need to drop but you are skipping thapcket …	satyendra	May 7, 2025, 6:04 p.m.
get is not required. We can set always?	prajesh	May 8, 2025, 8:03 p.m.
same here	prajesh	May 8, 2025, 8:03 p.m.
sf filter	prajesh	May 9, 2025, 2:24 p.m.
sf filter.	prajesh	May 9, 2025, 2:24 p.m.
You also need to implement show function for this command . if you need it to be persistent than also …	satyendra	May 12, 2025, 7:36 p.m.
this is not required as the possible values are only o and 1	satyendra	May 12, 2025, 7:36 p.m.
Not required	satyendra	May 12, 2025, 7:36 p.m.

branches/rel_apv_10_7_2/usr/src/sys/net/if_ethersubr.c (Diff revision 1)

Show all issues

what is this function for? Seems like we are filtring packets based on dest IP.

mmiriam May 7, 2025, 4:10 p.m.

It is checking if fip entry is avilable and is disabled/inactive state then it will return SF_FIP_DROP or else SF_FIP_PASS

prajesh May 7, 2025, 4:12 p.m.

as per the logic we should drop the packet. Are we missing something here?

branches/rel_apv_10_7_2/usr/src/sys/net/if_ethersubr.c (Diff revision 1)

Show all issues

if we are not dropping then dont increment this counter.

mmiriam May 7, 2025, 4:10 p.m.

In if case it is incrementing sf_deliver_packets else will increment sf_drop_packets

branches/rel_apv_10_7_2/usr/src/sys/net/if_ethersubr.c (Diff revision 1)

Show all issues

you are hitting this path . Sf_fip_drop is true . the packet need to drop but you are skipping thapcket . You need to use break as the wile loop runs only once .If you need to keep the packet , It better to handle some place other than here

satyendra May 7, 2025, 6:05 p.m.

you are hitting this path As Sf_fip_drop is true . the packet need to drop but you are skipping the packet . You need not to use break as the wile loop runs only once .If you need to keep the packet , It better to handle some place other than here. It will change the whole logic of this block , possibly side effect will seen

Change Summary:

Added a cli to enable/disable ha ssf filter

Testing Done:

	+	Test results of CLI:
	+
	+	ha ssf ?
	+
	+	filter Setting HA stateful session failover filter
	+	off Disable session failover function of virtual service or NAT
	+	on Enable session failover function of virtual service or NAT
	+	peer HA ssf peer ip
	+	timeout Set SSF session idle timeout
	+
	+	ha ssf filter ?
	+
	+	off Disable session failover filter
	+	on Enable session failover filter
	+
	+	show run ssf
	+
	+	ha ssf on
	+	ha ssf on nat
	+	ha ssf timeout 300
	+	ha ssf on "VS"
	+	ha ssf on "VS1"
	+	ha ssf peer 10.10.10.11
	+	ha ssf filter off
	+
	+	verified "write mem"

Diff:

Revision 2 (+89 -1)

Show changes

	branches/rel_apv_10_7_2/usr/click/lib/libparser/commands.pm
	branches/rel_apv_10_7_2/usr/src/sys/click/app/cm/sf_cli.c

branches/rel_apv_10_7_2/usr/src/sys/click/app/cm/sf_cli.c (Diff revision 2)
Show all issues
```
get is not required. We can set always?
```
branches/rel_apv_10_7_2/usr/src/sys/click/app/cm/sf_cli.c (Diff revision 2)
Show all issues
```
same here
```

Diff:

Revision 3 (+75 -1)

Show changes

	branches/rel_apv_10_7_2/usr/click/lib/libparser/commands.pm
	branches/rel_apv_10_7_2/usr/src/sys/click/app/cm/sf_cli.c

branches/rel_apv_10_7_2/usr/src/sys/click/app/cm/sf_cli.c (Diff revision 3)
Show all issues
```
sf filter
```
branches/rel_apv_10_7_2/usr/src/sys/click/app/cm/sf_cli.c (Diff revision 3)
Show all issues
```
sf filter.
```

Diff:

Revision 4 (+75 -1)

Show changes

	branches/rel_apv_10_7_2/usr/click/lib/libparser/commands.pm
	branches/rel_apv_10_7_2/usr/src/sys/click/app/cm/sf_cli.c

Ship it!

```
Ship It!
```

Ship it!

```
Ship It!
```

Status: Closed (submitted)

Please check with praveen , If this command need to be part of write memeory

mmiriam May 12, 2025, 7:36 p.m.

As we added it part of HA ssf command so write mem is needed

branches/rel_apv_10_7_2/usr/click/lib/libparser/commands.pm (Diff revision 4)

Show all issues

You also need to implement show function for this command . 
if you need it to be persistent than also implement the wr_mem for this command

mmiriam May 12, 2025, 7:36 p.m.

add in session_failover_show_segment_settings for show run

branches/rel_apv_10_7_2/usr/src/sys/click/app/cm/sf_cli.c (Diff revision 4)
Show all issues
```
this is not required as the possible values are only o and 1
```
branches/rel_apv_10_7_2/usr/src/sys/click/app/cm/sf_cli.c (Diff revision 4)
Show all issues
```
Not required
```

You have a pending review.

Review Board 5.0.5

AE-1441 SLB Not Responding to SYN Packets After Traffic Failover with HA SSF Enabled ||AS-20030|| Kokilaben

ha ssf ?

ha ssf filter ?

show run ssf

Change Summary:

Testing Done:

ha ssf ?

ha ssf filter ?

show run ssf

Diff:

Diff:

Diff:

Status: Closed (submitted)