On Tue, May 06, 2025 at 11:48:07AM +0700, Trọng Đạt Trần wrote: > Dear Adrián, > > Thank you for your response. I’ve applied your suggestion to use separate > sample entries for each ACL. However, I am still seeing unexpected behavior > in the IPFIX output that I’d like to clarify. > Test Setup (Same as Before) > > vm_a ---- network1 ---- router ---- network2 ---- vm_b > > > - > > Two ACLs: > - > > ACL A: allow-related *outbound* IPv4 > - > > ACL B: allow-related *inbound* ICMP > - > > ACLs applied symmetrically to both VMs. > - > > Test traffic: ICMP request from vm_b to vm_a, and reply from vm_a to vm_b > . > > Key Problem Observed > > When sampling is enabled on *both* ACLs, the IPFIX record for *flow (3)* > (the ICMP reply from vm_a → router) shows *120 packets/min*. > > However: > > - > > If *only ACL B* (inbound ICMP) is sampled → (3) = 60 packets/min > - > > If *only ACL A* (outbound IP4) is sampled → (3) not present > - > > If both are sampled → (3) = 120 packets/min > > This suggests that *flow (3) is being sampled twice* — even though it > represents a *single logical flow and matches only ACL B*. > IPFIX Observations > FlowDescriptionExpectedActual > (1) vm_b → router (ICMP request) 60 pkt/m 60 > (2) router → vm_a (ICMP request) 60 pkt/m 60 > (3) vm_a → router (ICMP reply) 60 pkt/m 120 ⚠️ > (4) router → vm_b (ICMP reply) 60 pkt/m 60
This is not what I'd expect, maybe Dumitru knows? Could you attach ofproto/trace and ovn-detrce outputs from both directions? Thanks. Adrián _______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
