NSX-T Data Center Global Manager REST API
PolicyTraceflowObservationDroppedLogical (schema)
Name | Description | Type | Notes |
---|---|---|---|
acl_rule_id | The id of the L3 firewall rule that was applied to drop the traceflow packet This field is specified when the traceflow packet matched a L3 firewall rule. |
integer | Readonly |
acl_rule_path | Access Control List Rule Path The path of the ACL rule that was applied to forward the traceflow packet |
string | Readonly |
arp_fail_reason | The detailed drop reason of ARP traceflow packet This field specifies the ARP fails reason ARP_TIMEOUT - ARP failure due to query control plane timeout ARP_CPFAIL - ARP failure due post ARP query message to control plane failure ARP_FROMCP - ARP failure due to deleting ARP entry from control plane ARP_PORTDESTROY - ARP failure due to port destruction ARP_TABLEDESTROY - ARP failure due to ARP table destruction ARP_NETDESTROY - ARP failure due to overlay network destruction |
string | Readonly Enum: ARP_UNKNOWN, ARP_TIMEOUT, ARP_CPFAIL, ARP_FROMCP, ARP_PORTDESTROY, ARP_TABLEDESTROY, ARP_NETDESTROY |
component_id | The id of the component that dropped the traceflow packet. | string | Readonly |
component_name | The name of the component that issued the observation. | string | Readonly |
component_path | The path of the component that dropped the traceflow packet | string | Readonly |
component_sub_type | The sub type of the component that issued the observation. | TraceflowComponentSubType | Readonly |
component_type | The type of the component that issued the observation. | TraceflowComponentType | Readonly |
interface_path | Path of interface | string | Readonly |
ipsec_fail_reason | The detailed drop reason of IPSec VPN traceflow packet This field specifies the IPSec VPN fails reason IPSEC_SA_NOT_FOUND - IPSec SA required for processing the packet does not exist IPSEC_UDP_ENC_STATE_MISMATCH - ESP packet is UDP encapsulated but IPsec SA does not expect UDP encapsulation IPSEC_SEQ_ROLLOVER - IPSec SA sequence number has exceeded the maximum value IPSEC_FRAG_NEEDED - Received packet has DF bit set in IP header but requires fragmentation due to ESP encapsulation IPSEC_TUN_IFACE_DOWN - IPSec tunnel interface is down IPSEC_POLICY_NOMATCH - Received packet does not match IPSec policy IPSEC_POLICY_BLOCK - IPSec packet processing failed IPSEC_POLICY_ERROR - IPSec packet processing failed IPSEC_REPLAY_SEQ_NUM_REPEAT - IPSec packet is dropped due to replay IPSEC_REPLAY_RECV_DELAY - IPSec packet is dropped due to replay IPSEC_REPLAY_PROC_DELAY - IPSec packet is dropped due to replay IPSEC_ZERO_SEQ_NUM_RECVD - ESP packet is received with sequence number as zero IPSEC_ENQUEUE_FAIL - Packet processing failed during crypto operation IPSEC_AUTH_DGST_MISMATCH - Packet integrity check failed due to digest mismatch IPSEC_AUTH_DGST_SIZE_MISMATCH - Packet integrity check failed due to invalid digest length IPSEC_AUTH_UNSUPPORTED_ALGO - Packet integrity check failed due to unsupported hash algorithm IPSEC_CRYPTO_FAIL - Packet processing failed during crypto operation IPSEC_CRYPTO_PROC_INCOMPLETE - Packet processing failed during crypto operation IPSEC_CRYPTO_SESSION_INV - Packet processing failed during crypto operation IPSEC_CRYPTO_ARGS_INV - Packet processing failed during crypto operation IPSEC_CRYPTO_PROC_ERROR - Packet processing failed during crypto operation IPSEC_CRYPTO_NO_BUF_SPACE - Packet processing failed during crypto operation IPSEC_CRYPTO_UNSUPPORTED_CIPHER - Packet processing failed during crypto operation IPSEC_MALFORMED - Received ESP packet is malformed IPSEC_MALFORMED_INV_PADDING - Received ESP packet is malformed IPSEC_PADDING_REMOVAL_FAILED - Received ESP packet is malformed IPSEC_INNER_MALFORMED - IP packet after ESP decryption is malformed IPSEC_INNER_MALFORMED_IP - IP packet after ESP decryption is malformed IPSEC_INNER_MALFORMED_UDP - IP packet after ESP decryption is malformed IPSEC_INNER_MALFORMED_TCP - IP packet after ESP decryption is malformed IPSEC_UNKNOWN - IPSec VPN failure reason is unknown |
string | Readonly Enum: IPSEC_SA_NOT_FOUND, IPSEC_UDP_ENC_STATE_MISMATCH, IPSEC_SEQ_ROLLOVER, IPSEC_FRAG_NEEDED, IPSEC_TUN_IFACE_DOWN, IPSEC_POLICY_NOMATCH, IPSEC_POLICY_BLOCK, IPSEC_POLICY_ERROR, IPSEC_REPLAY_SEQ_NUM_REPEAT, IPSEC_REPLAY_RECV_DELAY, IPSEC_REPLAY_PROC_DELAY, IPSEC_ZERO_SEQ_NUM_RECVD, IPSEC_ENQUEUE_FAIL, IPSEC_AUTH_DGST_MISMATCH, IPSEC_AUTH_DGST_SIZE_MISMATCH, IPSEC_AUTH_UNSUPPORTED_ALGO, IPSEC_CRYPTO_FAIL, IPSEC_CRYPTO_PROC_INCOMPLETE, IPSEC_CRYPTO_SESSION_INV, IPSEC_CRYPTO_ARGS_INV, IPSEC_CRYPTO_PROC_ERROR, IPSEC_CRYPTO_NO_BUF_SPACE, IPSEC_CRYPTO_UNSUPPORTED_CIPHER, IPSEC_MALFORMED, IPSEC_MALFORMED_INV_PADDING, IPSEC_PADDING_REMOVAL_FAILED, IPSEC_INNER_MALFORMED, IPSEC_INNER_MALFORMED_IP, IPSEC_INNER_MALFORMED_UDP, IPSEC_INNER_MALFORMED_TCP, IPSEC_UNKNOWN |
jumpto_rule_id | The ID of the jump-to rule that was applied to the traceflow packet This field is specified when the traceflow packet matched a jump-to rule. |
integer | Readonly |
jumpto_rule_path | Jump-to Rule Path The path of the jump-to rule that was applied to the traceflow packet |
string | Readonly |
l2_rule_id | The ID of the l2 rule that was applied to the traceflow packet This field is specified when the traceflow packet matched a l2 rule. |
integer | Readonly |
l2_rule_path | L2 Rule Path The path of the l2 rule that was applied to the traceflow packet |
string | Readonly |
lport_id | The id of the logical port at which the traceflow packet was dropped | string | Readonly |
lport_name | The name of the logical port at which the traceflow packet was dropped | string | Readonly |
nat_rule_id | The ID of the NAT rule that was applied to drop the traceflow packet This field is specified when the traceflow packet matched a NAT rule. |
integer | Readonly |
nat_rule_path | Network Address Translation Rule Path The path of the NAT rule that was applied to forward the traceflow packet |
string | Readonly |
reason | The reason traceflow packet was dropped This field specifies the drop reason of traceflow packet. ARP_FAIL - ARP request fails for some reasons, please refer arp_fail_reason for detail BFD - BFD packet is dropped because traversed by non-operative interface or encountering internal error (e.g., memory insufficient) BROADCAST - Packet is dropped during traversing the interface (e.g., Edge uplink, Edge centralized service port) which disallow ethernet broadcast DHCP - DHCP packet is malformed DLB - The packet is disallowed by distributed load balancing FW_RULE - The packet matches a drop or reject rule of DFW or Edge firewall GENEVE - GENEVE packet is malformed GRE - GRE packet is malformed or traverses a non-operative interface IFACE - Packet traverses a non-operative interface IP - Packet is dropped because of IP related causes (e.g., ICMPv4/ICMPv6 packet is malformed, or DF flag is set but fragment must be performed for the packet) or corresponding interface is not found or inoperative IP_REASS - Packet is dropped during IP reassembly IPSEC - IPsec protocol related packet is dropped IPSEC_VTI - IPsec required SA is not found or traversing inoperative interface cause packet dropped L2VPN - VLAN id of GRE packet is invalid L4PORT - Layer 4 packet (e.g., BFD, DHCP) is dropped LB - Packet is dropped by load balancing rule LROUTER - Packet is dropped by logical router LSERVICE - Packet is malformed or traverses inoperative logical service interface LSWITCH - Packet is dropped by logical switch MANAGEMENT - Packet is dropped by Edge datapath MANAGEMENT service port MD_PROXY - Packet is dropped by metadata proxy NAT - Packet is dropped by NAT rule RTEP_TUNNEL - Unused drop reason ND_NS_FAIL - Neighbor Discovery packet fails NEIGH - ARP or Neighbor Discovery packet fails NO_EIP_FOUND - Destination IP is not an elastic IP NO_EIP_ASSOCIATION - Elastic IP is not associated with active edge VDR ENI NO_ENI_FOR_IP - There is no ENI found for the destination IP NO_ENI_FOR_LIF - Cannot find an ENI associated with uplink LIF NO_ROUTE - Cannot find route for destination IP NO_ROUTE_TABLE_FOUND - Cannot find associated route table NO_UNDERLAY_ROUTE_FOUND - Cannot find AWS route to destination NOT_VDR_DOWNLINK - Packet is not forwarded to VMC unmanaged VDR downlink NO_VDR_FOUND - VMC unmanaged VDR associated with Edge uplink is not found NO_VDR_ON_HOST - Cannot find VMC unmanaged VDR list on this host NOT_VDR_UPLINK - Packet is not forwarded to VDR uplink SERVICE_INSERT - Packet from guest VM to service VM or from service VM to guest VM is dropped by firewall rule SPOOFGUARD - Packet is blocked by SpoofGuard policy TTL_ZERO - The IPv4 time to live field or the IPv6 hop limit field of packet is zero TUNNEL - Overlay tunnel management packet (VNI value of GENEVE header is 0, e.g., BFD) is dropped VLAN - VLAN id of packet is disallowed by the given port VXLAN - VXLAN packet is malformed or cannot find tunnel port for it VXSTT - Unused drop reason VMC_NO_RESPONSE - Failed to query VMC observations as no response from VMC app WRONG_UPLINK - Packet is not routed to the expected Edge uplink by VMC unmanaged VDR FW_STATE - Packet is dropped by stateful firewall NO_MAC - Drop by vswitch as no destination MAC hit MAC Table. FILTERED_UPLINK - Filtering applied at the corresponding UPLINK having no aggregation. |
string | Readonly Enum: ARP_FAIL, BFD, BROADCAST, DHCP, DLB, FW_RULE, GENEVE, GRE, IFACE, IP, IP_REASS, IPSEC, IPSEC_VTI, L2VPN, L4PORT, LB, LROUTER, LSERVICE, LSWITCH, MANAGEMENT, MD_PROXY, NAT, RTEP_TUNNEL, ND_NS_FAIL, NEIGH, NO_EIP_FOUND, NO_EIP_ASSOCIATION, NO_ENI_FOR_IP, NO_ENI_FOR_LIF, NO_ROUTE, NO_ROUTE_TABLE_FOUND, NO_UNDERLAY_ROUTE_FOUND, NOT_VDR_DOWNLINK, NO_VDR_FOUND, NO_VDR_ON_HOST, NOT_VDR_UPLINK, SERVICE_INSERT, SPOOFGUARD, TTL_ZERO, TUNNEL, VLAN, VXLAN, VXSTT, VMC_NO_RESPONSE, WRONG_UPLINK, FW_STATE, NO_MAC, UNKNOWN, FILTERED_UPLINK |
resource_type | Must be set to the value PolicyTraceflowObservationDroppedLogical | TraceflowObservationType | Required Default: "TraceflowObservationReceived" |
segment_port_path | Path of segment port | string | Readonly |
sequence_no | the sequence number is the traceflow observation hop count the hop count for observations on the transport node that a traceflow packet is injected in will be 0. The hop count is incremented each time a subsequent transport node receives the traceflow packet. The sequence number of 999 indicates that the hop count could not be determined for the containing observation. |
integer | Required Readonly |
service_path_index | The index of service path The index of service path that is a chain of services represents the point where the traceflow packet was dropped. |
integer | Readonly |
site_path | Policy path of the federated site This field contains the site path where this observation was generated. |
string | Readonly |
timestamp | Timestamp when the observation was created by the transport node Timestamp when the observation was created by the transport node (milliseconds epoch) |
EpochMsTimestamp | Readonly |
timestamp_micro | Timestamp when the observation was created by the transport node Timestamp when the observation was created by the transport node (microseconds epoch) |
integer | Readonly |
transport_node_id | id of the transport node that observed a traceflow packet | string | Readonly |
transport_node_name | name of the transport node that observed a traceflow packet | string | Readonly |
transport_node_type | type of the transport node that observed a traceflow packet | TransportNodeType | Readonly |