Hi Oscar, On 5/6/25 12:31 PM, Trọng Đạt Trần wrote: > As requested, I’ve attached additional tracing information related to > the sampling duplication issue. > > * > > The file |ofproto_trace.log| contains the full output of |ofproto/ > trace| commands. > > * > > The archive |ovn-detrace.tar.gz| includes six separate files, each > corresponding to an |ovn-detrace| output for a flow I believe is > involved in the duplicated sampling. > > Since I’m not fully confident in how to use |--ct-next option|, I’ve > included traces for all six related flows to ensure completeness. > > Please let me know if you need further details, or if I should re-run > any commands with additional options. >
This seems fairly easy to reproduce locally for investigation; I didn't try yet though. However, would you mind sharing your OVN NB database file (I'm assuming this is a test environment)? I would like to make sure we don't have any misunderstanding because the terms you use below in your ACL description (e.g., "outbound"/"inbound") are not standard terms. Having the actual ACL (and the rest of the NB) contents will make it easier to debug. Thanks, Dumitru > Best regards, > > *Oscar* > > > On Tue, May 6, 2025 at 4:15 PM Adrián Moreno <amore...@redhat.com > <mailto:amore...@redhat.com>> wrote: > > On Tue, May 06, 2025 at 11:48:07AM +0700, Trọng Đạt Trần wrote: > > Dear Adrián, > > > > Thank you for your response. I’ve applied your suggestion to use > separate > > sample entries for each ACL. However, I am still seeing unexpected > behavior > > in the IPFIX output that I’d like to clarify. > > Test Setup (Same as Before) > > > > vm_a ---- network1 ---- router ---- network2 ---- vm_b > > > > > > - > > > > Two ACLs: > > - > > > > ACL A: allow-related *outbound* IPv4 > > - > > > > ACL B: allow-related *inbound* ICMP > > - > > > > ACLs applied symmetrically to both VMs. > > - > > > > Test traffic: ICMP request from vm_b to vm_a, and reply from > vm_a to vm_b > > . > > > > Key Problem Observed > > > > When sampling is enabled on *both* ACLs, the IPFIX record for > *flow (3)* > > (the ICMP reply from vm_a → router) shows *120 packets/min*. > > > > However: > > > > - > > > > If *only ACL B* (inbound ICMP) is sampled → (3) = 60 packets/min > > - > > > > If *only ACL A* (outbound IP4) is sampled → (3) not present > > - > > > > If both are sampled → (3) = 120 packets/min > > > > This suggests that *flow (3) is being sampled twice* — even though it > > represents a *single logical flow and matches only ACL B*. > > IPFIX Observations > > FlowDescriptionExpectedActual > > (1) vm_b → router (ICMP request) 60 pkt/m 60 > > (2) router → vm_a (ICMP request) 60 pkt/m 60 > > (3) vm_a → router (ICMP reply) 60 pkt/m 120 ⚠️ > > (4) router → vm_b (ICMP reply) 60 pkt/m 60 > > This is not what I'd expect, maybe Dumitru knows? > > Could you attach ofproto/trace and ovn-detrce outputs from both > directions? > > Thanks. > Adrián > _______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
