Cilium DSR with geneve in native routing mode does not work in Azure #31169
Labels
area/loadbalancing
Impacts load-balancing and Kubernetes service implementations
feature/dsr
Relates to Cilium's Direct-Server-Return feature for KPR.
kind/bug
This is a bug in the Cilium logic.
kind/community-report
This was reported by a user in the Cilium community, eg via Slack.
needs/triage
This issue requires triaging to establish severity and next steps.
sig/datapath
Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Is there an existing issue for this?
What happened?
Setup
The blue line path is how the http traffic flows (the tcp handshake is not shown)
I have an nginx pod on each vm and a LoadBalancer service for the nginx pods. This is running in azure on aks.
I take a packet capture on vm0 and vm1 and then ping the load balancer ip until the request is routed to cilium, which then routes it to the other vm (if cilium chooses the nginx pod on the same vm that the azure load balancer routed it to the request returns just fine with the load balancer ip as the source). Below are the packet captures:
(pcap: 20.29.225.195 is my ip; 20.112.45.212 is lb; 10.10.0.4 vm 0; 10.10.0.5 vm 1; 192.168.1.174 is nginx on vm 0; request hits vm 1 first)
VM 0
VM 1
Geneve shows the node ips (so if the packet goes to vm0 from vm1, the geneve src is 10.10.0.5 and the dst is 10.10.0.4). The client only sees the handshake and sending out a GET request, but no response after that. The TCP handshake occurs with the load balancer ip, but the directly returning packet has the node's ip (10.10.0.4) as the source.
Second Setup
We also tried with a different mode in Azure with similar results (HTTP OK is sent with the source as the node ip rather than the load balancer ip). Mode is still cilium dsr with geneve without tunnel. More details can be provided.
SNAT Behavior Setup
We compared the DSR behavior with regular SNAT mode (no dsr, no geneve) and found that the HTTP OK is sent back with the load balancer ip as the source.
Request hits vm 1 first, .76 is nginx pod on vm 0, 10.10.0.4 is vm0 and 10.10.0.5 is vm1
VM 0 (Starts at 48)
VM 1 (Starts at 85)
Expected Behavior
The packet successfully gets load balanced to one machine and cilium sends the packet to another machine, where the reply (HTTP OK) returns directly to the client successfully (we get a response). Right now there is no response if the packet is rerouted by cilium to a different vm.
Questions
Cilium Version
1.14.3
Kernel Version
Linux aks-nodepool1-11172287-vmss000000 5.15.0-1054-azure #62-Ubuntu SMP Mon Jan 15 15:51:19 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Kubernetes Version
1.27.9
Regression
No
Sysdump
cilium-sysdump-20240305-100604.zip
Relevant log output
No response
Anything else?
Cilium dsr geneve no tunnel config
Cilium no dsr (snat) config
Nginx yaml
Service yaml
Cilium Users Document
Code of Conduct
The text was updated successfully, but these errors were encountered: