InlineTraceflowObservationDropped1
{
"acl_rule_id": 0,
"arp_fail_reason": "string",
"ipsec_fail_reason": "string",
"jumpto_rule_id": 0,
"l2_rule_id": 0,
"lport_id": "string",
"lport_name": "string",
"nat_rule_id": 0,
"reason": "string"
}This field is specified when the traceflow packet matched a L3 firewall rule.
This field specifies the ARP fails reason ARP_TIMEOUT - ARP failure due to query control plane timeout ARP_CPFAIL - ARP failure due post ARP query message to control plane failure ARP_FROMCP - ARP failure due to deleting ARP entry from control plane ARP_PORTDESTROY - ARP failure due to port destruction ARP_TABLEDESTROY - ARP failure due to ARP table destruction ARP_NETDESTROY - ARP failure due to overlay network destruction
This field specifies the IPSec VPN fails reason IPSEC_SA_NOT_FOUND
- IPSec SA required for processing the packet does not exist IPSEC_UDP_ENC_STATE_MISMATCH
- ESP packet is UDP encapsulated but IPsec SA does not expect UDP encapsulation IPSEC_SEQ_ROLLOVER
- IPSec SA sequence number has exceeded the maximum value IPSEC_FRAG_NEEDED
- Received packet has DF bit set in IP header but requires fragmentation due to ESP encapsulation IPSEC_TUN_IFACE_DOWN
- IPSec tunnel interface is down IPSEC_POLICY_NOMATCH
- Received packet does not match IPSec policy IPSEC_POLICY_BLOCK
- IPSec packet processing failed IPSEC_POLICY_ERROR
- IPSec packet processing failed IPSEC_REPLAY_SEQ_NUM_REPEAT
- IPSec packet is dropped due to replay IPSEC_REPLAY_RECV_DELAY
- IPSec packet is dropped due to replay IPSEC_REPLAY_PROC_DELAY
- IPSec packet is dropped due to replay IPSEC_ZERO_SEQ_NUM_RECVD
- ESP packet is received with sequence number as zero IPSEC_ENQUEUE_FAIL
- Packet processing failed during crypto operation IPSEC_AUTH_DGST_MISMATCH
- Packet integrity check failed due to digest mismatch IPSEC_AUTH_DGST_SIZE_MISMATCH
- Packet integrity check failed due to invalid digest length IPSEC_AUTH_UNSUPPORTED_ALGO
- Packet integrity check failed due to unsupported hash algorithm IPSEC_CRYPTO_FAIL
- Packet processing failed during crypto operation IPSEC_CRYPTO_PROC_INCOMPLETE
- Packet processing failed during crypto operation IPSEC_CRYPTO_SESSION_INV
- Packet processing failed during crypto operation IPSEC_CRYPTO_ARGS_INV
- Packet processing failed during crypto operation IPSEC_CRYPTO_PROC_ERROR
- Packet processing failed during crypto operation IPSEC_CRYPTO_NO_BUF_SPACE
- Packet processing failed during crypto operation IPSEC_CRYPTO_UNSUPPORTED_CIPHER
- Packet processing failed during crypto operation IPSEC_MALFORMED
- Received ESP packet is malformed IPSEC_MALFORMED_INV_PADDING
- Received ESP packet is malformed IPSEC_PADDING_REMOVAL_FAILED
- Received ESP packet is malformed IPSEC_INNER_MALFORMED
- IP packet after ESP decryption is malformed IPSEC_INNER_MALFORMED_IP
- IP packet after ESP decryption is malformed IPSEC_INNER_MALFORMED_UDP
- IP packet after ESP decryption is malformed IPSEC_INNER_MALFORMED_TCP
- IP packet after ESP decryption is malformed IPSEC_UNKNOWN
- IPSec VPN failure reason is unknown
This field is specified when the traceflow packet matched a jump-to rule.
This field is specified when the traceflow packet matched a l2 rule.
The id of the logical port at which the traceflow packet was dropped
The name of the logical port at which the traceflow packet was dropped
This field is specified when the traceflow packet matched a NAT rule.
This field specifies the drop reason of traceflow packet. ARP_FAIL - ARP request fails for some reasons, please refer arp_fail_reason for detail BFD - BFD packet is dropped because traversed by non-operative interface or encountering internal error (e.g., memory insufficient) BROADCAST - Packet is dropped during traversing the interface (e.g., Edge uplink, Edge centralized service port) which disallow ethernet broadcast DHCP - DHCP packet is malformed DLB - The packet is disallowed by distributed load balancing FW_RULE - The packet matches a drop or reject rule of DFW or Edge firewall GENEVE - GENEVE packet is malformed GRE - GRE packet is malformed or traverses a non-operative interface IFACE - Packet traverses a non-operative interface IP - Packet is dropped because of IP related causes (e.g., ICMPv4/ICMPv6 packet is malformed, or DF flag is set but fragment must be performed for the packet) or corresponding interface is not found or inoperative IP_REASS - Packet is dropped during IP reassembly IPSEC - IPsec protocol related packet is dropped IPSEC_VTI - IPsec required SA is not found or traversing inoperative interface cause packet dropped L2VPN - VLAN id of GRE packet is invalid L4PORT - Layer 4 packet (e.g., BFD, DHCP) is dropped LB - Packet is dropped by load balancing rule LROUTER - Packet is dropped by logical router LSERVICE - Packet is malformed or traverses inoperative logical service interface LSWITCH - Packet is dropped by logical switch MANAGEMENT - Packet is dropped by Edge datapath MANAGEMENT service port MD_PROXY - Packet is dropped by metadata proxy NAT - Packet is dropped by NAT rule RTEP_TUNNEL - Unused drop reason ND_NS_FAIL - Neighbor Discovery packet fails NEIGH - ARP or Neighbor Discovery packet fails NO_EIP_FOUND - Destination IP is not an elastic IP NO_EIP_ASSOCIATION - Elastic IP is not associated with active edge VDR ENI NO_ENI_FOR_IP - There is no ENI found for the destination IP NO_ENI_FOR_LIF - Cannot find an ENI associated with uplink LIF NO_ROUTE - Cannot find route for destination IP NO_ROUTE_TABLE_FOUND - Cannot find associated route table NO_UNDERLAY_ROUTE_FOUND - Cannot find AWS route to destination NOT_VDR_DOWNLINK - Packet is not forwarded to VMC unmanaged VDR downlink NO_VDR_FOUND - VMC unmanaged VDR associated with Edge uplink is not found NO_VDR_ON_HOST - Cannot find VMC unmanaged VDR list on this host NOT_VDR_UPLINK - Packet is not forwarded to VDR uplink SERVICE_INSERT - Packet from guest VM to service VM or from service VM to guest VM is dropped by firewall rule SPOOFGUARD - Packet is blocked by SpoofGuard policy TTL_ZERO - The IPv4 time to live field or the IPv6 hop limit field of packet is zero TUNNEL - Overlay tunnel management packet (VNI value of GENEVE header is 0, e.g., BFD) is dropped VLAN - VLAN id of packet is disallowed by the given port VXLAN - VXLAN packet is malformed or cannot find tunnel port for it VXSTT - Unused drop reason VMC_NO_RESPONSE - Failed to query VMC observations as no response from VMC app WRONG_UPLINK - Packet is not routed to the expected Edge uplink by VMC unmanaged VDR FW_STATE - Packet is dropped by stateful firewall NO_MAC - Drop by vswitch as no destination MAC hit MAC Table. FILTERED_UPLINK - Filtering applied at the corresponding UPLINK having no aggregation.