-
Bug
-
Resolution: Duplicate
-
High
-
None
-
None
-
None
-
None
After upgrading to VPP from gerrit master branch and commit:
commit f4fd0d4217ab6c41fe6b093871bd40ac130e6486
Author: Alexander Chernavin <achernavin@netgate.com>
Date: Fri Jun 8 11:28:27 2018 -0400
Fix multiple NAT translation with interface address as external
we have found out the MTU of every TAPv2 is just 1284B, even though 1500B was configured (sw_interface_set_mtu sw_if_index X tag 1500).
For example, when pod with IP 10.1.1.2 attached to VPP via tap1, tried to connect to service 10.96.0.1:443, which is NATed to 10.3.1.10:6443 behind tap0, PSH-ACKs from 10.3.1.10 were dropped as they apparently exceeded MTU:
Packet 15:
00:00:50:744829: virtio-input
virtio: hw_if_index 2 next-index 4 vring 0 len 1396
hdr: flags 0x00 gso_type 0x00 hdr_len 0 gso_size 0 csum_start 0 csum_offset 0 num_buffers 1
00:00:50:744840: ethernet-input
IP4: 7e:af:b8:39:02:d9 -> 01:23:45:67:89:42
00:00:50:744854: ip4-input
TCP: 10.3.1.10 -> 10.1.1.2
tos 0x00, ttl 64, length 1382, checksum 0x489e
fragment id 0xd6e4, flags DONT_FRAGMENT
TCP: 6443 -> 49250
seq. 0x08fa7251 ack 0xb58a6847
flags 0x18 PSH ACK, tcp header: 32 bytes
window 235, checksum 0xace8
00:00:50:744864: nat44-classify
nat44-classify: next nat44-in2out
00:00:50:744874: nat44-in2out
NAT44_IN2OUT_FAST_PATH: sw_if_index 2, next index 3, session -1
00:00:50:744909: nat44-in2out-slowpath
NAT44_IN2OUT_SLOW_PATH: sw_if_index 2, next index 0, session 14
00:00:50:744916: ip4-lookup
fib 0 dpo-idx 5 flow hash: 0x00000000
TCP: 10.96.0.1 -> 10.1.1.2
tos 0x00, ttl 64, length 1382, checksum 0x494a
fragment id 0xd6e4, flags DONT_FRAGMENT
TCP: 443 -> 49250
seq. 0x08fa7251 ack 0xb58a6847
flags 0x18 PSH ACK, tcp header: 32 bytes
window 235, checksum 0xc504
00:00:50:744954: ip4-rewrite
tx_sw_if_index 0 dpo-idx 5 : ipv4 via 10.1.1.2 tap1: mtu:1284 00000000000202fefc0721820800 flow hash: 0x00000403
00000000: 45000566d6e440003f064a4a0a6000010a01010201bbc06208fa7251b58a6847
00000020: 801800ebc50400000101080a1c77802110a4fb1a160303003a020000
00:00:50:744966: ip4-icmp-error
TCP: 10.96.0.1 -> 10.1.1.2
tos 0x00, ttl 63, length 1382, checksum 0x4a4a
fragment id 0xd6e4, flags DONT_FRAGMENT
TCP: 443 -> 49250
seq. 0x08fa7251 ack 0xb58a6847
flags 0x18 PSH ACK, tcp header: 32 bytes
window 235, checksum 0xc504
00:00:50:744973: ip4-lookup
fib 0 dpo-idx 1 flow hash: 0x00000000
ICMP: 172.30.1.1 -> 10.96.0.1
tos 0x00, ttl 255, length 576, checksum 0x023d
fragment id 0x0000
ICMP destination_unreachable fragmentation_needed_and_dont_fragment_set checksum 0x1e
00:00:50:744978: ip4-rewrite
tx_sw_if_index 1 dpo-idx 1 : ipv4 via 192.168.16.1 GigabitEthernet0/8/0: mtu:9202 525400123500080027d3e3ec0800 flow hash: 0x00000000
00000000: 525400123500080027d3e3ec08004500024000000000fe01033dac1e01010a60
00000020: 00010304001e0000050445000566d6e440003f064a4a0a6000010a01
00:00:50:744990: nat44-in2out-output
NAT44_IN2OUT_FAST_PATH: sw_if_index 2, next index 3, session -1
00:00:50:744995: nat44-in2out-output-slowpath
NAT44_IN2OUT_SLOW_PATH: sw_if_index 2, next index 1, session -1
00:00:50:745000: error-drop
nat44-in2out-output-slowpath: unsupported ICMP type
The whole trace for the connection is attached as vpp.trace.
Also attached is pcap for a different TCP session captured from the Linux stack (network namespace behind tap0), which shows a series of PSH-ACK retransmissions.
- is duplicated by
-
-
- Closed
-
