Troubleshooting Cisco VSG Flow Issues on KVM VEM Module
This chapter describes how to troubleshoot Cisco Virtual Security Gateway (VSG) flow issues on KVM VEM module.
This chapter includes the following sections:
Understanding KLM Flow Messages
The Cisco vPath support on KVM is limited to a VSG type service node. The flows are offloaded to the KLM when the VSG decides to offload a PERMIT or DENY action to the VEM. When offloaded, KLM flows with following actions are created: vpath_permit, vpath_permit_tcp, and vpath_deny. Table 9-1 lists the messages generated:
Table 9-1 KLM Flow Messages
|
|
ICMP deny flow |
key=in_port:21,vlan:120,dmac:06:0d:eb:00:80:01,smac:06:0d:eb:00:70:01,etype:0x0800,dip:172.23.128.8,sip:172.23.128.7,proto:1,tos:0,dport:0,sport:8 actions=vpath_deny: pkts=1 bytes=98 drops=1 punts=0 |
ICMP permit flow |
key=in_port:21,vlan:120,dmac:06:0d:eb:00:80:01,smac:06:0d:eb:00:50:01,etype:0x0800,dip:172.23.128.8,sip:172.23.128.5,proto:1,tos:0,dport:0,sport:8 actions=vpath_permit : pkts=10 bytes=980 drops=0 punts=0 |
UDP permit flow |
key=in_port:51,vlan:120,dmac:06:0d:eb:00:50:01,smac:06:0d:eb:00:80:01,etype:0x0800,dip:172.23.128.5,sip:172.23.128.8,proto:17,tos:0,dport:47161,sport:44260 actions=vpath_permit : pkts=1003114 bytes=1452509072 drops=0 punts=0 |
TCP permit flow |
key=in_port:21,vlan:120,dmac:06:0d:eb:00:80:01,smac:06:0d:eb:00:50:01,etype:0x0800,dip:172.23.128.8,sip:172.23.128.5,proto:6,tos:0,dport:2083,sport:59759 actions=vpath_permit_tcp :0141000001000000 pkts=4 bytes=292 drops=0 punts=0 |
Troubleshooting TCP State Connection Objects
When TCP permit flows are offloaded to the KLM, connection objects are programmed in the KLM to facilitate TCP state verification, which is performed as part of the vpath_permit_tcp action.You can use the vem cmd show klm vpath command to list statistics related to TCP state connection objects:
[root@kvm-cuda5 ~]# vemcmd show klm vpath
where,
num_conns: Indicates the number of connection objects currently programmed in the KLM.
Note The remaining stats indicate the number of times operations have been performed to add, delete, fetch, and set connection objects in the KLM.