← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1804327] [NEW] occasional connection reset on SNATed after tcp retries

 

Public bug reported:

When neutron ports are connected to DVR routers that are without
floating ip, the traffic is going via SNAT on the network node.

In some cases when the tcp connections that are nat'ed end up
retransmitting, sometimes a packet is being retransmitted by the remote
that is outside what the Linux kernel connection tracking considers part
of valid tcp window. When this happens, the flow is receiving a RST,
terminating the connection on the sender side, while leaving the
receiver side (the neutron port attached VM) hanging.

A similar issue is described elsewhere, e.g.
https://github.com/docker/libnetwork/issues/1090 and the workaround
documented there of setting ip_conntrack_tcp_be_liberal seems to help in
avoiding conntrack to dismiss packets outside the observed tcp window
size which lets the tcp retransmit logic to eventually recover the
connection.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1804327

Title:
  occasional connection reset on SNATed after tcp retries

Status in neutron:
  New

Bug description:
  When neutron ports are connected to DVR routers that are without
  floating ip, the traffic is going via SNAT on the network node.

  In some cases when the tcp connections that are nat'ed end up
  retransmitting, sometimes a packet is being retransmitted by the
  remote that is outside what the Linux kernel connection tracking
  considers part of valid tcp window. When this happens, the flow is
  receiving a RST, terminating the connection on the sender side, while
  leaving the receiver side (the neutron port attached VM) hanging.

  A similar issue is described elsewhere, e.g.
  https://github.com/docker/libnetwork/issues/1090 and the workaround
  documented there of setting ip_conntrack_tcp_be_liberal seems to help
  in avoiding conntrack to dismiss packets outside the observed tcp
  window size which lets the tcp retransmit logic to eventually recover
  the connection.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1804327/+subscriptions


Follow ups