Comments (2)
eudoxiabanderbear
commented on July 20, 2024
When looking at the flow using tcpdump, we did see that the application pod did receive the SYN call from the ingress. However when the application pop was attempting to send the SYN-ACK back, the packet appears to be unable to route back, to the ingress. Followed by the ingress, attempting to restart the TCP flow.
19:23:00.745947 IP ip-100-66-155-240.us-west-2.compute.internal.46283 > ip-100-66-156-47.us-west-2.compute.internal.7654: Flags [S], seq 2885681828, win 62727, options [mss 8961,sackOK,TS val 340353580 ecr 0,nop,wscale 7], length 0
19:23:00.745967 IP ip-100-66-156-47.us-west-2.compute.internal.7654 > ip-100-66-155-240.us-west-2.compute.internal.46283: Flags [S.], seq 3184591693, ack 2885681829, win 62643, options [mss 8961,sackOK,TS val 3149138160 ecr 340353580,nop,wscale 7], length 0
19:23:00.745984 IP ip-100-66-156-47.us-west-2.compute.internal.7654 > ip-100-66-155-240.us-west-2.compute.internal.46283: Flags [S.], seq 3184591693, ack 2885681829, win 62643, options [mss 8961,sackOK,TS val 3149138160 ecr 340353580,nop,wscale 7], length 0
19:23:01.755860 IP ip-100-66-155-240.us-west-2.compute.internal.46283 > ip-100-66-156-47.us-west-2.compute.internal.7654: Flags [S], seq 2885681828, win 62727, options [mss 8961,sackOK,TS val 340354590 ecr 0,nop,wscale 7], length 0
19:23:01.755887 IP ip-100-66-156-47.us-west-2.compute.internal.7654 > ip-100-66-155-240.us-west-2.compute.internal.46283: Flags [S.], seq 3184591693, ack 2885681829, win 62643, options [mss 8961,sackOK,TS val 3149139170 ecr 340353580,nop,wscale 7], length 0
19:23:01.755904 IP ip-100-66-156-47.us-west-2.compute.internal.7654 > ip-100-66-155-240.us-west-2.compute.internal.46283: Flags [S.], seq 3184591693, ack 2885681829, win 62643, options [mss 8961,sackOK,TS val 3149139170 ecr 340353580,nop,wscale 7], length 0
19:23:01.755906 IP ip-100-66-156-47.us-west-2.compute.internal.7654 > ip-100-66-155-240.us-west-2.compute.internal.46283: Flags [S.], seq 3184591693, ack 2885681829, win 62643, options [mss 8961,sackOK,TS val 3149139170 ecr 340353580,nop,wscale 7], length 0
19:23:01.755909 IP ip-100-66-156-47.us-west-2.compute.internal.7654 > ip-100-66-155-240.us-west-2.compute.internal.46283: Flags [S.], seq 3184591693, ack 2885681829, win 62643, options [mss 8961,sackOK,TS val 3149139170 ecr 340353580,nop,wscale 7], length 0
from cilium.
sayboras
commented on July 20, 2024
Thanks for your issue.
As mentioned in your comment, the workaround is to set bpf.hostLegacyRouting=true. You can probably set endpointRoutes.enabled=true as well.
Based on my previous investigation, most likely it's due to below block, especially the variable ENABLE_SKIP_FIB.
cilium/pkg/datapath/linux/config/config.go
Lines 1048 to 1059 in 451c3b2
from cilium.
Related Issues (20)
- After system reboot cilium not coming up in ubuntu 22.04 HOT 2
- clustermesh: Request replies not forwarded to originating pod HOT 3
- bpf: kernel freeze with nfs client in xs_tcp_setup_socket HOT 4
- Connecting an Ubuntu 24.04 node to my Cilium v1.14 Kubernetes cluster HOT 3
- Error from server (BadRequest): container "cilium-agent" in pod "cilium-hf7zn" is waiting to start: PodInitializing HOT 3
- Multicast don't work in AArch64 when using version 5.X or older kernel because of an eBPF problem. HOT 7
- Add an e2e test for node-local DNS with LRP HOT 1
- CI: ci-ces-migrate - check-log-errors/no-errors-in-logs - Envoy: Version check failed
- CFP: Add discover policy enforcement mode HOT 3
- Envoy is being deployed even when not required
- Different behaviour for CNP creation vs CNP update HOT 1
- LB IPAM Service Affinity HOT 4
- CI: ci-ginkgo: hubble events queue is full
- Nodeport timeout when remote node in different subnet (IPv6-only cluster)
- cannot enable Bandwidth Manager on oracle linux 9, HOT 11
- Helm can't enable geneve protocol: line 132: mapping key "tunnel-protocol" already defined at line 131
- IPsec unable to use 36 byte psk for GCM-256-AES HOT 1
- CFP: Add option for BGP Control Plane to support advertising ipv6 routes by block instead of by LoadBalancer Ingress IP
- Check kernel testing on stable branches
- CFP: limit the gateway API to choose certain nodes when forwarding from external LB to k8s cluster
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cilium.