Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-45470

The icmp messages (fragmentation needed) produced by PMTUD mechanism don't reach backend pods from NodePort service

XMLWordPrintable

    • Important
    • None
    • False
    • Hide

      None

      Show
      None
    • Customer Escalated

      Description of problem:

      RHOCP 4.14.31 does not appear to reacting properly against PMTUD mechanism when any external traffic is reaching any NodePort. This could be affecting LoadBalancer IP as well. 

      A brief summary of the affected communication:

      1. An external VPN client connects to the RHOCP's NodePort and it communicates the MSS to the application pod behind the NodePort

      2. The pods behind NodePort replies the request with the appropriate MSS. In this case, the affected protocol is TCP at port number 443 in the client perspective and it is a random NodePort in RHOCP node side.

      3. In the network path between VPN client and OCP node, there is a VPN gateway that does not accept the packet with the replied MTU and it starts the PMTUD process.

      4. This device starts to send icmp messages with type=3 and code=4 (fragmentation needed) against the RHOCP.

      5. The messages arrive in the node and reach the primary interface and br-ex. However, the icmp messages never reach the pods behind the NodePort

      6. As the messages are not able to reach the involved pods in their network namespaces, the MTU is never adjusted and the communication fails.

      Once the MTU is decreased in the VPN client side, the communication is successful established as the PMTUD process is not triggered. This is also an evidence that the PMTUD process in RHOCP nodes with OVN-Kubernetes don't appear to be working as expected in the networks.

      The current reported bug seems to be regression from bug OCPBUGS-7433

       

      Version-Release number of selected component (if applicable): 4.14.31

      How reproducible: Not easily. 

      Steps to Reproduce:

      1. Configure a VPN gateway in between the RHOCP node

      2. Establish a VPN connection with the VPN gateway

      3. Try to configure a lower MTU In the VPN gateway 

      4. Establish a communication with the VPN client against a NodePort service

      5. Check if the VPN gateway is going to send icmp messages

      Actual results: The icmp messages produced by PMTUD are not reaching the backend pods behind the NodePort.

      Expected results: The icmp messages produced by PMTUD should reach the backend pods to ensure that he PMTUD process is working as expected (RFC 1191)

      Additional info: 

              sdn-team-bot sdn-team bot
              rhn-support-bgomes Bruno Gomes
              Anurag Saxena Anurag Saxena
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated: