11-14-2017 05:35 AM - edited 03-01-2019 04:02 AM
Hello all,
I am facing a troubling behaviour that I can't explain.
I have two NSO services:
- 1: a service in charge of policing traffic (the service creates an ACL, a Class-Map and a Policy-Map)
- 2 a service in charge of changing tunnel dscp of packets (the service creates an ACL, a Class-Map and a Policy-Map)
I am trying to instanciate one of each service applied to the same flow (same ACL and Class-Map) on the same interface (same policy-map)/
1- I create the policing service
2- I commit
3- I create the change dscp service
4 - I commit.
It works fine. When I look at the router conf, I have only one ACL, one class-map and two actions are configured in the policy-map for the class-map.
Then, I undo the first service (policing service) and here is the issue: it does delete the class-map dfinition (class-map is still here but doesn't match with the ACL anymore). The ACL is still here and policy-map as well.
When I undo services in the same order as I've created them, there is no issue.
Do you have any idea about this?
It seems I need to create a new ACL and Class-Map for each service.
Thanks.
Alexandre
Solved! Go to Solution.
11-23-2017 02:36 AM
Hi Simon, All,
I upgraded to version 4.5 and this issueis corrected! Thanks a lot all for your precious support.
Alexandre
11-14-2017 06:03 AM
What does your service code look like? Does it have if-statements checking if some relevant config is there already, and if so doesn't create it? Don't do that. For NSO to see that your service instance really depends on some data, the service should create it, even if it's already there. NSO will then do the reference counting, and remove it when the last service instance that needs it is removed.
If this doesn't answer your question, you'll have to share the logic of your code. Does it use templates? What does the resulting config look like when you display it like this:
show full-configuration ... | display service-meta-data
11-14-2017 07:30 AM
Hello Jan,
No, I am not using any kind of if statements.
I can share the service but what is the best way? Just copy-paste the code?
11-14-2017 07:33 AM
When I instantiate one of the two service, if the ACL and class-map doesn't exist, it just creates it (that is normal).
Now, what I'm trying to test is instantiate a service using same ACL and class-map.
It works fine.
But if I remove only one of the two instantiated services, the behaviour varies.
When I remove first the last instantiated service, it works fine, the class-map is let as it must be.
But, if I remove first the first instantiated service, then the ACL is let intact but not the class-map. The class-map is still here but the definition of class-map (match access-group name XXX) vanishes.
The config I wish to obtain is as following:
***** Before service instanciation
TunnelX-policy-map
**** After service 1 instanciation
class-map match-all test-class-map
match access-group name test-access-list
policy-map TunnelX-policy-map
class test-class-map
police cir 8000
conform-action drop
exceed-action drop
violate-action drop
ip access-list extended test-access-list
permit ip host 10.20.9.130 host 10.20.8.2 dscp ef
****** After service 1 & 2 instanciation
class-map match-all test-class-map
match access-group name test-access-list
policy-map TunnelX-policy-map
class test-class-map
police cir 8000
conform-action drop
exceed-action drop
violate-action drop
set dscp tunnel af33
ip access-list extended test-access-list
permit ip host 10.20.9.130 host 10.20.8.2 dscp ef
****** After service 1 removal (EXPECTED)
class-map match-all test-class-map
match access-group name test-access-list
policy-map TunnelX-policy-map
class test-class-map
set dscp tunnel af33
ip access-list extended test-access-list
permit ip host 10.20.9.130 host 10.20.8.2 dscp ef
****** After service 1 removal (WHAT I GET)
class-map match-all test-class-map
policy-map TunnelX-policy-map
class test-class-map
set dscp tunnel af33
ip access-list extended test-access-list
permit ip host 10.20.9.130 host 10.20.8.2 dscp ef
Thanks again.
Alexandre
11-17-2017 01:39 AM
Hi Jean-Marc,
Check the following command in every steps of the way:
admin@ncs% show devices device X | display service-meta-data
Regards,
Roque
11-17-2017 04:18 AM
Hi Roque, Jan,
Here is a copy paste. The output is huge so I only focus on what is failing
First service instanciation (we cas seee that there is an ACL configured)
/* Refcount: 1 */
/* Backpointer: [ /ncs:services/syr4-nc-ratelimit:syr4-nc-ratelimit[syr4-nc-ratelimit:name='test'] ] */
class-map test-class-map {
/* Refcount: 1 */
match-all;
match {
access-group {
name test-access-list;
}
}
}
Second service instanciation (still OK)
/* Refcount: 2 */
/* Backpointer: [ /ncs:services/syr4-nc-ratelimit:syr4-nc-ratelimit[syr4-nc-ratelimit:name='test'] /ncs:services/syr4-nc-changepriority:syr4-nc-changepriority[syr4-nc-changepriority:name='test2'] ] */
class-map test-class-map {
/* Refcount: 2 */
match-all;
match {
access-group {
name test-access-list;
}
}
}
First service removal (Not OK, why did the ACL vanished?)
/* Refcount: 1 */
/* Backpointer: [ /ncs:services/syr4-nc-changepriority:syr4-nc-changepriority[syr4-nc-changepriority:name='test2'] ] */
class-map test-class-map {
/* Refcount: 1 */
match-all;
}
Do you have any clue about what I'm doing wrong?
Thanks a ton!!
11-19-2017 11:59 PM
Hi, if you check the service-meta-data output you'll see that there's no service owner of that acl configuration (no refcounts or backpointers to a service). Now this might be a problem if the "name" inside access-group container is a leaf-list node.
Prior to NSO 4.5 shared resources on leaf-lists didn't work as expected. So if you're using an older version, updating NSO, if possible, might solve the problem.
Simon
11-20-2017 12:56 AM
Hi Simon,
First of all thanks! I am not using a leaf list a simple leaf? Should I use a leaf-list for this cas?
Thanks
Alexandre
11-20-2017 01:23 AM
Hi,
sorry I should be more clear I was refering to the model of the device (ios NED), not your service model. In the device model that part for the ACLs is probably modeled as a leaf-list.
When 2 services produce the same configuration, you will see 'refcount 2' on that part of the configuration, but for acl (refering to the printout of the show command), you don't have that refcount - NSO doesn't have info that a second service produced that configuration, so when you delete the first instance that config will be gone.
In the 4.5 versions of NSO, handling of shared-resources on leaf-list nodes is done differently and an update should solve the problem. I don't know if there's any other solution, maybe Jan and Roque can have more input on that.
Simon
11-20-2017 01:39 AM
Hi,
Thanks again Simon! I am actually using a self-built NETCONF ned but you're giving me an important clue, this might help me. I'll try to upgrade the NSO and let you know.
11-23-2017 02:36 AM
Hi Simon, All,
I upgraded to version 4.5 and this issueis corrected! Thanks a lot all for your precious support.
Alexandre
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide