You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The vxlan header is present when using capturing traffic destined for a docker container running on a node with multiple network interfaces. Result is endless TCP Retransmission errors and connection timeout.
Expected Behavior
vxlan headers to be stripped when sent from an interface that crosses subnet boundaries, regardless of host computer having network interface on same subnet or not.
Alternatively, log errors or better document limitations of multi-interface hosts
Current Behavior
vxlan headers are not stripped, tcp connections timeout
Steps to Reproduce (for bugs)
Configure host nodes in kubernetes as documented below
Deploy tcp server on multi-interface node
Deploy client on single interface node
Deploy ksniff pod with tcpdump alongside server
Send request from client to server
Watch packets enter server network without vxlan headers stripped (no decap)
Context
Machine 1:
interface 172.24.204.0/24
Machine 2:
interface 172.24.214.0/24 (primary)
interface 172.24.204.0/24
See attached pcap files of bad TCP SYN with rtran from both ksniff and host tcpdump calico_pcap.tar.gz
Relevant calico node config values
env:
# Use Kubernetes API as the backing datastore.
- name: DATASTORE_TYPEvalue: "kubernetes"# Wait for the datastore.
- name: WAIT_FOR_DATASTOREvalue: "true"# Set based on the k8s node name.
- name: NODENAMEvalueFrom:
fieldRef:
fieldPath: spec.nodeName# Choose the backend to use.
- name: CALICO_NETWORKING_BACKENDvalueFrom:
configMapKeyRef:
name: calico-configkey: calico_backend# Cluster type to identify the deployment type
- name: CLUSTER_TYPEvalue: "k8s,bgp"# Auto-detect the BGP IP address.
- name: IPvalue: "autodetect"
- name: IP_AUTODETECTION_METHODvalue: "can-reach=172.24.214.12"# Disable IPIP
- name: CALICO_IPV4POOL_IPIPvalue: "Never"# Enable or Disable VXLAN on the default IP pool.
- name: CALICO_IPV4POOL_VXLANvalue: "Always"# Set MTU for tunnel device used if ipip is enabled
- name: FELIX_IPINIPMTUvalueFrom:
configMapKeyRef:
name: calico-configkey: veth_mtu# Set MTU for the VXLAN tunnel device.
- name: FELIX_VXLANMTUvalueFrom:
configMapKeyRef:
name: calico-configkey: veth_mtu# Set MTU for the Wireguard tunnel device.
- name: FELIX_WIREGUARDMTUvalueFrom:
configMapKeyRef:
name: calico-configkey: veth_mtu# The default IPv4 pool to create on startup if none exists. Pod IPs will be# chosen from this range. Changing this value after installation will have# no effect. This should fall within `--cluster-cidr`.# - name: CALICO_IPV4POOL_CIDR# value: "192.168.0.0/16"# Disable file logging so `kubectl logs` works.
- name: CALICO_DISABLE_FILE_LOGGINGvalue: "true"# Set Felix endpoint to host default action to ACCEPT.
- name: FELIX_DEFAULTENDPOINTTOHOSTACTIONvalue: "ACCEPT"# Disable IPv6 on Kubernetes.
- name: FELIX_IPV6SUPPORTvalue: "false"
- name: FELIX_HEALTHENABLEDvalue: "true"
- name: FELIX_LOGSEVERITYSCREENvalue: "error"
Your Environment
Calico version: 3.19
Kubernetes 1.23
Ubuntu 16.04 server
The text was updated successfully, but these errors were encountered:
share ip addr and ip route output from the server node
share calico-node pod logs from the server? (Not sure how much you'd need to redact.) You would have to change FELIX_LOGSEVERITYSCREEN to info, not sure if that's feasible or not.
Try client -> server traffic using the 172.24.204.x address? I wonder if this works.
The vxlan header is present when using capturing traffic destined for a docker container running on a node with multiple network interfaces. Result is endless TCP Retransmission errors and connection timeout.
Expected Behavior
vxlan headers to be stripped when sent from an interface that crosses subnet boundaries, regardless of host computer having network interface on same subnet or not.
Alternatively, log errors or better document limitations of multi-interface hosts
Current Behavior
vxlan headers are not stripped, tcp connections timeout
Steps to Reproduce (for bugs)
Context
Machine 1:
Machine 2:
See attached pcap files of bad TCP SYN with rtran from both ksniff and host tcpdump
calico_pcap.tar.gz
Relevant calico node config values
Your Environment
The text was updated successfully, but these errors were encountered: