openvswitch: ovs-system: deferred action limit reached, drop recirc action

[syedammad83]

Hi,

I am using OVN 22.03 with OVS 2.17.2 on ubuntu 22.04. The OVN is integrated with OpenStack neutron and using 20.2 yoga release.

I am getting below mentioned logs in dmesg logs of gateway chassis.

[Wed Sep 21 16:54:59 2022] openvswitch: ovs-system: deferred action limit reached, drop recirc action
[Wed Sep 21 16:55:05 2022] openvswitch: ovs-system: deferred action limit reached, drop recirc action
[Wed Sep 21 16:55:09 2022] openvswitch: ovs-system: deferred action limit reached, drop recirc action
[Wed Sep 21 16:55:14 2022] openvswitch: ovs-system: deferred action limit reached, drop recirc action
[Wed Sep 21 16:55:17 2022] openvswitch: ovs-system: deferred action limit reached, drop recirc action
[Wed Sep 21 16:55:19 2022] openvswitch: ovs-system: deferred action limit reached, drop recirc action
[Wed Sep 21 16:55:22 2022] openvswitch: ovs-system: deferred action limit reached, drop recirc action

There are alot of messages I am seeing. Digging it further the issue can be reproduced by hitting any kind of traffic to logical router's external gateway port IP address (which is SNAT IP address of router). When ever I put the SNAT IP in browser and press enter, the logs starts to show up.

Is this an issue OR will it cause any trouble in traffic ?

I am happy to provide any further details needed.

Ammad

[zhanrox2]

Hi @syedammad83 , I also encountered the same problem, has your problem been solved, how to solve it.

[hzhou8]

Could you provide output of ovs-appctl dpctl/dump-flows when this is happening?

[hzhou8]

It seems this problem was discussed before and never resolved? https://mail.openvswitch.org/pipermail/ovs-discuss/2021-August/051353.html
I also recall a problem that's fixed in OVS even earlier that had the same symptom. Not sure if it is something similar to that problem: openvswitch/ovs@29b1dd9
The DP flow output should tell more information. At the same time, it would be helpful if you could provide the NB-DB dumps and SB lflow dumps (ovn-sbctl lflow-list). ovn-trace output for the problematic trigger packet would be even better.

[zhanrox2]

@hzhou8 The problem like this: #134 .
The main problem is related to TCP/UDP traffic sent to the address of an LRP port that is not part of any SNAT/DNAT conversation, it will keep recirculating in the OVS data plane until TTL is 0.
The message is shown in the kernel log due to the size of the FIFO "DEFERRED_ACTION_FIFO_SIZE", but this is a consequence of the packets not matching the flow tables of the datapath. See kernel - net/openvswitch/actions.c
Basically, it only happens when there is a SNAT rule to translate an entire network (masquerade) and the return traffic does not have an open port.

[syedammad83]

flow1.txt
flow3.txt
flow2.txt

Above are the output of ovs-appctl dpctl/dump-flows | grep 175.107.193.122

I have grep my testing public IP address from dump. I have just put this IP in my browser and dumped the flows.

[syedammad83]

# ovn-trace --no-friendly-names --ovs neutron-6cf49a42-ae18-4e2b-ae53-52e398025b6f 'inport == "lrp-020ebe69-fd1b-446f-8f02-29b88914184d" && ip4.dst == 175.107.193.12'
# ip,reg14=0x1,vlan_tci=0x0000,dl_src=00:00:00:00:00:00,dl_dst=00:00:00:00:00:00,nw_src=0.0.0.0,nw_dst=175.107.193.12,nw_proto=0,nw_tos=0,nw_ecn=0,nw_ttl=0

ingress(dp="d02fa4ae-8845-41e8-b65f-51ddcd4f4478", inport="lrp-020ebe69-fd1b-446f-8f02-29b88914184d")
-----------------------------------------------------------------------------------------------------
 0. lr_in_admission: no match (implicit drop) " 

I am seeing nothing in ovn-trace output

@hzhou8

[srelf-eschercloud]

Seeing the same issue, but also could be affecting performance. Tagging myself. Please let me know if any debug info i can provide.

[r-acosta]

Hey folks, I also encountered the same problem - In the past with Openstack Ussuri (ovn 20.03 and ovs 2.13) and now with Openstack Yoga (ovn 22.03 and ovs 2.17). @hzhou8 <https://github.com/hzhou8>, I believe we are talking about the discussed and never resolved (SNAT/DNAT recirc issue) https://mail.openvswitch.org/pipermail/ovs-discuss/2021-August/051353.html, and related issues #134 The central question seems to be understanding why the pkt doesn't match. The pkt first goes through the OVS_ACTION_ATTR_CT action, looking for conntrack/nat actions. If not found it re-injects the package skipping the first table to look for the package path (recirculation is the use of freezing to allow a frame to re-enter the datapath packet processing path to achieve more flexible packet processing), and in this case, the pkt will be placed in the queue, which has a limit of 10 (DEFERRED_ACTION_FIFO_SIZE). Some time ago I even thought about increasing this queue limit because I'm not sure about the latency effects of these recirculated packets. An important note is that this issue can only be seen on gateway nodes. Regards, Roberto

…

Message ID: ***@***.***>

-- _‘Esta mensagem é direcionada apenas para os endereços constantes no cabeçalho inicial. Se você não está listado nos endereços constantes no cabeçalho, pedimos-lhe que desconsidere completamente o conteúdo dessa mensagem e cuja cópia, encaminhamento e/ou execução das ações citadas estão imediatamente anuladas e proibidas’._ * **‘Apesar do Magazine Luiza tomar todas as precauções razoáveis para assegurar que nenhum vírus esteja presente nesse e-mail, a empresa não poderá aceitar a responsabilidade por quaisquer perdas ou danos causados por esse e-mail ou por seus anexos’.*

[hzhou8]

Hi folks, thanks for your valuable information! Sorry that I didn't have time to look at this recently. I will try to reproduce it locally according to what you provided, and debug it next week or so.

[hzhou8]

PTAL: https://patchwork.ozlabs.org/project/ovn/patch/20221220000549.16922-1-hzhou@ovn.org/

[hzhou8]

The above fix is merged to main and branch-22.12. Close the issue.