<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<div class="moz-cite-prefix">On 5/2/2019 6:03 PM, Zhang, Jing C.
(Nokia - CA/Ottawa) wrote:<br>
</div>
<blockquote type="cite"
cite="mid:HE1PR0701MB25052CAE0E0AE4384B835D2BC4350@HE1PR0701MB2505.eurprd07.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
<font size="2" face="Calibri"><span style="font-size:11pt;">
<div>We (our VNFs) continue to observe the same empty payload
TCP (ACK) packet drop with native firewall (see original
post below) after upgrading to Centos 7.6. This packet drop
results in unacceptable TCP performance, by that native
firewall still can not
be enabled in product.</div>
<div><font face="Times New Roman"> </font></div>
<div><font face="Times New Roman"><a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmail.openvswitch.org%2Fpipermail%2Fovs-discuss%2F2018-August%2F047263.html&data=02%7C01%7Croseg%40vmware.com%7C99e374a533314ae804e308d6cf1e77bc%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C636924127135278159&sdata=CJwM1qEQ2vlVQh1Ko2wXQOtQpCLc2cVBkuSC5kB1H9k%3D&reserved=0"
moz-do-not-send="true"><font face="Calibri" color="blue"><u>https://mail.openvswitch.org/pipermail/ovs-discuss/2018-August/047263.html</u></font></a></font></div>
<div><font face="Times New Roman"> </font></div>
<div>$ uname -a</div>
<div>Linux overcloud-sriovperformancecompute-0
3.10.0-957.10.1.el7.x86_64 #1 SMP Mon Mar 18 15:06:45 UTC
2019 x86_64 x86_64 x86_64 GNU/Linux</div>
<div><font face="Times New Roman"> </font></div>
<div>$ ovs-vswitchd --version</div>
<div>ovs-vswitchd (Open vSwitch) 2.9.0</div>
<div>DPDK 17.11.0</div>
<div><font face="Times New Roman"> </font></div>
<div>The scenario: OVS provider VLAN network is used</div>
<div><font face="Times New Roman"> </font></div>
<ol
style="margin:0;padding-left:36pt;list-style-type:decimal;">
<font face="SimSun">
<li>in physical interface of ovs compute zero length tcp
payload packet arrives as padded to 64 bytes (and vlan
tag is included in ethernet header)</li>
<li>same packet does not appear anymore in the tcpdump
taken from tap-xyz interface (once vlan tag is removed
and packet is cut by 4 bytes to 60 bytes)</li>
</font>
</ol>
<div><font face="Times New Roman"> </font></div>
<div><font face="SimSun">Tcpdump on physical port:</font></div>
<div><font face="SimSun"> </font></div>
<div><font face="SimSun">00:25:24.468423 fa:16:3e:d7:bb:2c
> fa:16:3e:ff:dd:29, ethertype 802.1Q (0x8100), length
2674: vlan 3837, p 0, ethertype IPv4, (tos 0x0, ttl 64, id
6893, offset 0, flags [DF], proto TCP (6), length 2656)</font></div>
<div><font face="SimSun"> 192.168.10.52.80 >
192.168.10.60.57576: Flags [P.], cksum 0xa013 (incorrect
-> 0x772d), seq 8961:11577, ack 78, win 210, length
2616: HTTP</font></div>
<div><font face="SimSun" color="red">00:25:24.468593
fa:16:3e:ff:dd:29 > fa:16:3e:d7:bb:2c, ethertype 802.1Q
(0x8100), length 60: vlan 3837, p 0, ethertype IPv4, (tos
0x0, ttl 64, id 56318, offset 0, flags [DF], proto TCP
(6), length 40)</font></div>
<div><font face="SimSun" color="red"> 192.168.10.60.57576
> 192.168.10.52.80: Flags [.], cksum 0x1d34 (correct),
seq 78, ack 11577, win 391, length 0</font></div>
<div><font face="SimSun" color="red">00:25:24.475848
fa:16:3e:ff:dd:29 > fa:16:3e:d7:bb:2c, ethertype 802.1Q
(0x8100), length 60: vlan 3837, p 0, ethertype IPv4, (tos
0x0, ttl 64, id 56319, offset 0, flags [DF], proto TCP
(6), length 40)</font></div>
<div><font face="SimSun" color="red"> 192.168.10.60.57576
> 192.168.10.52.80: Flags [F.], cksum 0x1d33 (correct),
seq 78, ack 11577, win 391, length 0</font></div>
<div><font face="SimSun">00:25:24.480337 fa:16:3e:d7:bb:2c
> fa:16:3e:ff:dd:29, ethertype 802.1Q (0x8100), length
2674: vlan 3837, p 0, ethertype IPv4, (tos 0x0, ttl 64, id
6894, offset 0, flags [DF], proto TCP (6), length 2656)</font></div>
<div><font face="SimSun"> 192.168.10.52.80 >
192.168.10.60.57576: Flags [P.], cksum 0xa013 (incorrect
-> 0x772d), seq 8961:11577, ack 78, win 210, length
2616: HTTP</font></div>
<div><font face="Times New Roman"> </font></div>
<div><font face="SimSun">Tcpdump on vm tap interface:</font></div>
<div><font face="SimSun"> </font></div>
<div><font face="SimSun">00:25:24.468419 fa:16:3e:d7:bb:2c
> fa:16:3e:ff:dd:29, ethertype IPv4 (0x0800), length
2670: (tos 0x0, ttl 64, id 6893, offset 0, flags [DF],
proto TCP (6), length 2656)</font></div>
<div><font face="SimSun"> 192.168.10.52.80 >
192.168.10.60.57576: Flags [P.], cksum 0xa013 (incorrect
-> 0x772d), seq 8961:11577, ack 78, win 210, length
2616: HTTP</font></div>
<div><font face="SimSun">00:25:24.480331 fa:16:3e:d7:bb:2c
> fa:16:3e:ff:dd:29, ethertype IPv4 (0x0800), length
2670: (tos 0x0, ttl 64, id 6894, offset 0, flags [DF],
proto TCP (6), length 2656)</font></div>
<div><font face="SimSun"> 192.168.10.52.80 >
192.168.10.60.57576: Flags [P.], cksum 0xa013 (incorrect
-> 0x772d), seq 8961:11577, ack 78, win 210, length
2616: HTTP</font></div>
<div><font face="Times New Roman"> </font></div>
<div><font face="SimSun">Very straightforward to see the
issue:</font></div>
<div><font face="SimSun"> </font></div>
<ol
style="margin:0;padding-left:36pt;list-style-type:decimal;">
<font face="SimSun">
<li>Configure neutron OVS agent to use native firewall</li>
<li>Create a pair of VMs on separate computes on provider
vLAN</li>
<li>Disable TCP timestamp inside the VMs</li>
<li>Exchange TCP traffic between the VMs, e.g. http
download.</li>
<li>Tcpdump on the physical and vm port, and compare.</li>
</font>
</ol>
<div><font face="Times New Roman"> </font></div>
<div><font face="SimSun">I wonder why such obvious issue is
not widely discussed?</font></div>
</span></font></blockquote>
<br>
I wonder that myself. I would indicate to me that there is some
rare or unique circumstance to your setup or<br>
configuration.<br>
<br>
In any case, we'll just focus on why you're seeing the issue and try
to determine the root cause. I'll probably want<br>
to set up a remote debugging situation so I can interactively view
and troubleshoot the problem. Unfortunately,<br>
that will probably not be doable until I return to work after May 27
because the next week and a half before I go<br>
on PTO is pretty booked up for me.<br>
<br>
Thanks,<br>
<br>
- Greg<br>
<br>
<blockquote type="cite"
cite="mid:HE1PR0701MB25052CAE0E0AE4384B835D2BC4350@HE1PR0701MB2505.eurprd07.prod.outlook.com"><font
size="2" face="Calibri"><span style="font-size:11pt;">
<div><font face="Times New Roman"> </font></div>
<div>Jing</div>
<div><font face="Times New Roman"> </font></div>
<div><font face="Times New Roman"> </font></div>
<div><font face="Times New Roman"> </font></div>
</span></font>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
discuss mailing list
<a class="moz-txt-link-abbreviated" href="mailto:discuss@openvswitch.org">discuss@openvswitch.org</a>
<a class="moz-txt-link-freetext" href="https://mail.openvswitch.org/mailman/listinfo/ovs-discuss">https://mail.openvswitch.org/mailman/listinfo/ovs-discuss</a>
</pre>
</blockquote>
<br>
</body>
</html>