[VPP-1283] NAT does not work in VPP 18.04 in some scenarios #134

vvalderrv · 2025-01-06T19:58:20Z

ssh from a VM behind SNAT to an outside/external host fails in 18.04. It used to work in 18.01 and earlier.

The tcpdump on the outside/external host shows that the TCP connection establishment itself succeeds but then subsequent segments elicit an ICMP unreachable error msg from VPP side even though the segment sizes are well within the MTU on either side.

07:18:48.952331 IP 10.195.131.79.1826 > 10.195.69.200.22: Flags [S], seq 166103352, win 29200, options [mss 1460,sackOK,TS val 4448259 ecr 0,nop,wscale 6], length 0

07:18:48.952390 IP 10.195.69.200.22 > 10.195.131.79.1826: Flags [S.], seq 3294302182, ack 166103353, win 26960, options [mss 1360,sackOK,TS val 3514861845 ecr 4448259,nop,wscale 7], length 0

07:18:48.952581 IP 10.195.131.79.1826 > 10.195.69.200.22: Flags [.], ack 1, win 457, options [nop,nop,TS val 4448259 ecr 3514861845], length 0

07:18:48.952920 IP 10.195.131.79.1826 > 10.195.69.200.22: Flags [P.], seq 1:635, ack 1, win 457, options [nop,nop,TS val 4448260 ecr 3514861845], length 634

07:18:48.952937 IP 10.195.69.200.22 > 10.195.131.79.1826: Flags [.], ack 635, win 221, options [nop,nop,TS val 3514861845 ecr 4448260], length 0

07:18:48.957469 IP 10.195.69.200.22 > 10.195.131.79.1826: Flags [P.], seq 1:42, ack 635, win 221, options [nop,nop,TS val 3514861846 ecr 4448260], length 41

07:18:48.957599 IP 10.195.131.79.1826 > 10.195.69.200.22: Flags [.], ack 42, win 457, options [nop,nop,TS val 4448261 ecr 3514861846], length 0

07:18:48.957991 IP 10.195.69.200.22 > 10.195.131.79.1826: Flags [P.], seq 42:1690, ack 635, win 221, options [nop,nop,TS val 3514861846 ecr 4448261], length 1648

07:18:48.958151 IP 10.195.131.79 > 10.195.69.200: ICMP 10.0.0.12 unreachable - need to frag, length 584

07:18:48.958621 IP 10.195.131.79.1826 > 10.195.69.200.22: Flags [.], ack 42, win 473, options [nop,nop,TS val 4448261 ecr 3514861846,nop,nop,sack 1 \{1390:1690}], length 0

07:18:48.962141 IP 10.195.69.200.22 > 10.195.131.79.1826: Flags [.], seq 42:1390, ack 635, win 221, options [nop,nop,TS val 3514861848 ecr 4448261], length 1348

07:18:48.962288 IP 10.195.131.79 > 10.195.69.200: ICMP 10.0.0.12 unreachable - need to frag, length 584

07:18:49.166141 IP 10.195.69.200.22 > 10.195.131.79.1826: Flags [.], seq 42:1390, ack 635, win 221, options [nop,nop,TS val 3514861899 ecr 4448261], length 1348

07:18:49.166278 IP 10.195.131.79 > 10.195.69.200: ICMP 10.0.0.12 unreachable - need to frag, length 584

07:18:49.574147 IP 10.195.69.200.22 > 10.195.131.79.1826: Flags [.], seq 42:1390, ack 635, win 221, options [nop,nop,TS val 3514862001 ecr 4448261], length 1348

07:18:49.574307 IP 10.195.131.79 > 10.195.69.200: ICMP 10.0.0.12 unreachable - need to frag, length 584

07:18:50.390146 IP 10.195.69.200.22 > 10.195.131.79.1826: Flags [.], seq 42:1390, ack 635, win 221, options [nop,nop,TS val 3514862205 ecr 4448261], length 1348

07:18:50.390306 IP 10.195.131.79 > 10.195.69.200: ICMP 10.0.0.12 unreachable - need to frag, length 584

07:18:52.026093 IP 10.195.69.200.22 > 10.195.131.79.1826: Flags [.], seq 42:1390, ack 635, win 221, options [nop,nop,TS val 3514862614 ecr 4448261], length 1348

07:18:52.026295 IP 10.195.131.79 > 10.195.69.200: ICMP 10.0.0.12 unreachable - need to frag, length 584

The text was updated successfully, but these errors were encountered:

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[VPP-1283] NAT does not work in VPP 18.04 in some scenarios #134

[VPP-1283] NAT does not work in VPP 18.04 in some scenarios #134

vvalderrv commented Jan 6, 2025

[VPP-1283] NAT does not work in VPP 18.04 in some scenarios #134

[VPP-1283] NAT does not work in VPP 18.04 in some scenarios #134

Comments

vvalderrv commented Jan 6, 2025