Either way, If we go with normal Security Group or with VSNext, the management interface is configured active/back-up .
On VSNext, underneath it's an MAGG while on the V0 it's an WRP interface. 

On ACI side we have all ports set as access, no MAC filtering. 

Thank you,

Good day!

Do you see any regular packet drop when you ping from the Management Server to the SG Management IP? May it be a general connectivity issue? I see 6.5% of RX errors on magg interfaces. This doesn't look good.

If we see significant packet loss from the Management Server to the SG, then it is expected that SIC verification and policy push fails. We need to narrow down the problem area starting from bottom up.

hello @Gennady , 

No we do not have packet loss between Management and SG's. 

And even if we would have a packet loss.

If that would be the case, then how can we explain that in an VS created on top of the SecurityGroup, we get 5 out of 5 SIC validations and no errors when pushing the Policy?

Thank you, 

In addition,

Did you have a chance to capture traffic on the SG (all SGMs at the same time) at the moment when you verify SIC from the Management Server?

The fact that the problem appears only if you add more than 1 SGM to the SG points to some distribution problem. It should not affect magg interface until packets from the Management Server in fact arrives on some Data interface or SMO role is flapping (this is very unlikely).

Yes we did packet captures on Management and both SG members and shared them with the Support .

Indeed it points to a distribution problem, but the distribution set-up is for the data-path and not for management per my understanding. 

SMO role was not flapping as we checked and it's always the first member that we used to build the SG. 
still while doing tcpdumps on both members and we were checking SIC, we've seen that almost every time when SIC failed, the other member was showing traffic at one point. So why is shifting, I can't say. 

Thank you,

Thank you, 

MAC learning would explain the shifting. If you do the tcpdumps with the MACs shown (-e) do you see the inbound MACs change when SIC stops working and you see traffic on the other SGM?

We'll run again the captures and watch the MAC and come back. 
Still I repeat, if we are using a single port between MHO's and ACI for management, then we have a single Inbound MAC so ?

Thank you, 

No it's MAC per SGM, not per MHO/port. If it works stable with one SGM then it's not MAC flapping. Not sure about VSNext if each VS also has its own MAC address on there but that might need checking too. 

I have the same understanding, and in order to exclude VSNext, we have wiped and created an standard Security Group as well. 
And with that we have the same SIC behavior. 

Ty,

Not MAC filtering, MAC learning. If the ACI is learning MAC addresses from outbound packets, it's going to be constantly changing the MAC table for the magg interfaces, and packets are going to get lost, leading to SIC failures. On the SG management port, each SGM uses its own MAC address, so MAC learning can break things. 

As I know, we don't do any MAC learning/filtering on ACI side.

But, if we were to do any of that, we should have alerts on ACI side for MAC flapping and the Leaf ports that we have the Management connected - those first 2 ports from each MHO. 
But since we are with only one port active right now, there is no MAC flapping, unless the Management IP - 10.18.169.41 in Singapore case - jumps between the 2 members for whatever reason....

I'll doublecheck and come back.

Thank you, 

As promised, we checked the ACI side for MAC flapping and we don't have any alerts for the ports that we use for SG Management.

ty @Gennady , I will check the SMO state and come back. 

As for the ACI and SK you provided, that makes sense, but we should have alerts on ACI side if an IP changes MAC .

As you see, we have the same MAC for the SG IP:

ty,
PS: I've run the zdebug on both nodes while checking SIC and getting failures, and I did not get any packets, so during the SIC check SMO was not changing, I guess....

If there are no messages in zdebug during the problem replication. then we can rule out SMO flap.

An example of SMO role change is below:

just to clarify for myself, what would cause an SMO change ? 
Other than the shut-down/reload of the active one.....

can I trigger that by CLI so I just confirm it ?

Thank you, 

Good day!

The easy way to trigger SMO role change is by brief shutdown of downlink port from MHO side.

Use "orch_stat" to find logical port number for downlink interface which leads to SMO. Then you can use tor_util on both MHO at the same time (you can try just one MHO at first for the test):

"tor_util set_port_admin_state <logical_port_number> down && sleep 1 && tor_util set_port_admin_state <logical_port_number> up"

Example:

"tor_util set_port_admin_state 65 down && sleep 1 && tor_util set_port_admin_state 65 up"

The command above will disable downlink port for 1 second and then bring it back UP. This results in SMO role change from 1_01 to 1_02 for ~35 seconds and then it will go back from 1_02 to 1_01. You will see both events in zdebug. The zdebug command should be executed on 1_02 because you will break SSH to 1_01.

Be careful if the test is in production because SMO role flap distracts all SMO local connections:

• control ssh to SG IP because it is handled by SMO (if magg interface is used)
• communication between IDC-PDP-PEP for Identity Awareness if PDP or PEP role in on SG
• BGP peering if it is terminated on the SG
• may see a blip in LAG status on connected network device because LACP task is also handled by SMO
• connection to Security Management and Log servers

hello @Martijn ,

We don't have anything fancy on this Vlan - Vlan168 where we have the SG Management assigned. 

As for the MAGG creation, I did not do anything in the CLI - as per documentation you do the interface preference in CLI - we did everything in GAIA.

I just set the primary interface on the magg1 as eth1-Mgmt1 and still the SIC error is there 😫.

Thank you,