-
Bug
-
Resolution: Won't Do
-
Medium
-
None
-
None
-
None
Hi,
I am now testing IPSEC with QAT enable. Although I confirm that QAT VF is enabled and bind to DPDK vfio-pci driver. In startup log there is no "0: dpdk_ipsec_process:1010: not enough DPDK crypto resources, default to OpenSSL". It means that QAT has been initialized in VPP. But when running traffic, no dpdk-esp4-decrypt instead of esp4-decrypt. This probably ipsec seek the wrong ESP node.
Trace log shows below:
00:00:43:821448: dpdk-input
TenGigabitEthernet7/0/0 rx queue 0
buffer 0x4e03: current data 0, length 150, free-list 0, clone-count 0, totlen-nifb 0, trace 0x0
ext-hdr-valid
l4-cksum-computed l4-cksum-correct
PKT MBUF: port 1, nb_segs 1, pkt_len 150
buf_len 2176, data_len 150, ol_flags 0x180, data_off 128, phys_addr 0xed338140
packet_type 0x11 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
rss 0x0 fdir.hi 0x0 fdir.lo 0x0
Packet Offload Flags
PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
Packet Types
RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet
RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers
IP4: ac:1f:6b:48:75:da -> ac:1f:6b:46:d6:c6
IPSEC_ESP: 192.168.2.200 -> 192.168.2.201
tos 0x00, ttl 254, length 136, checksum 0x3562
fragment id 0x0000
00:00:43:821490: ethernet-input
frame: flags 0x3, hw-if-index 2, sw-if-index 2
IP4: ac:1f:6b:48:75:da -> ac:1f:6b:46:d6:c6
00:00:43:821516: ip4-input-no-checksum
IPSEC_ESP: 192.168.2.200 -> 192.168.2.201
tos 0x00, ttl 254, length 136, checksum 0x3562
fragment id 0x0000
00:00:43:821535: ipsec4-input
esp: sa_id 10 spd 1 spi 1001 seq 10
00:00:43:821546: esp4-decrypt
esp: crypto aes-cbc-128 integrity sha1-96
00:00:43:821651: ip4-input
ICMP: 192.168.2.200 -> 192.168.2.201
tos 0x00, ttl 254, length 96, checksum 0x35bb
fragment id 0x0000
ICMP echo_request checksum 0xf79d
00:00:43:821661: ip4-lookup
fib 0 dpo-idx 5 flow hash: 0x00000000
ICMP: 192.168.2.200 -> 192.168.2.201
tos 0x00, ttl 254, length 96, checksum 0x35bb
fragment id 0x0000
ICMP echo_request checksum 0xf79d
00:00:43:821679: ip4-local
ICMP: 192.168.2.200 -> 192.168.2.201
tos 0x00, ttl 254, length 96, checksum 0x35bb
fragment id 0x0000
ICMP echo_request checksum 0xf79d
00:00:43:821692: ip4-icmp-input
ICMP: 192.168.2.200 -> 192.168.2.201
tos 0x00, ttl 254, length 96, checksum 0x35bb
fragment id 0x0000
ICMP echo_request checksum 0xf79d
00:00:43:821698: ip4-icmp-echo-request
ICMP: 192.168.2.200 -> 192.168.2.201
tos 0x00, ttl 254, length 96, checksum 0x35bb
fragment id 0x0000
ICMP echo_request checksum 0xf79d
00:00:43:821714: ip4-load-balance
fib 0 dpo-idx 0 flow hash: 0x00000000
ICMP: 192.168.2.201 -> 192.168.2.200
tos 0x00, ttl 64, length 96, checksum 0xe822
fragment id 0x0b99
ICMP echo_reply checksum 0xff9d
00:00:43:821719: ip4-glean
ICMP: 192.168.2.201 -> 192.168.2.200
tos 0x00, ttl 64, length 96, checksum 0xe822
fragment id 0x0b99
ICMP echo_reply checksum 0xff9d
00:00:43:821730: TenGigabitEthernet7/0/0-output
TenGigabitEthernet7/0/0
ARP: ac:1f:6b:46:d6:c6 -> ff:ff:ff:ff:ff:ff
request, type ethernet/IP4, address size 6/4
ac:1f:6b:46:d6:c6/192.168.2.201 -> 00:00:00:00:00:00/192.168.2.200
00:00:43:821742: error-drop
ip4-glean: ARP requests sent
00:00:43:821750: TenGigabitEthernet7/0/0-tx
TenGigabitEthernet7/0/0 tx queue 0
buffer 0x10eca: current data -14, length 42, free-list 0, clone-count 0, trace 0x0
PKT MBUF: port 65535, nb_segs 1, pkt_len 42
buf_len 2176, data_len 42, ol_flags 0x0, data_off 114, phys_addr 0xece3b300
packet_type 0x0 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
rss 0x0 fdir.hi 0x0 fdir.lo 0x0
ARP: ac:1f:6b:46:d6:c6 -> ff:ff:ff:ff:ff:ff
request, type ethernet/IP4, address size 6/4
ac:1f:6b:46:d6:c6/192.168.2.201 -> 00:00:00:00:00:00/192.168.2.200
BR
Chen Xiaobo