Hi I have facing issue with packet being dropped at the IPSEC decoder.
I have setup with traffic pumped from pktgen on both ports and they arrive at a set of VPP-IPSEC gateways (GWs). In FWD path first GW received from P0 of pktgen, does the encoding and sends it to second GW which does the decoding and then sends it towards P1 of the pktgen. Reverse happens in the REV path. In both the direction when I send data at 1Gbps, pkt size 1024, I see packet drop happening during decoding. I see the following from the traces: Packet 6 00:01:57:914904: dpdk-input TenGigabitEtherneta/0/0 rx queue 0 buffer 0x153a6: current data 14, length 1064, free-list 0, clone-count 0, totlen-nifb 0, trace 0x5 l4-cksum-computed l4-cksum-correct l2-hdr-offset 0 l3-hdr-offset 14 PKT MBUF: port 0, nb_segs 1, pkt_len 1078 buf_len 2176, data_len 1078, ol_flags 0x180, data_off 128, phys_addr 0x3674ea00 packet_type 0x11 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0 Packet Offload Flags PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid Packet Types RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers IP4: 14:02:ec:70:ae:55 -> 14:02:ec:72:ee:dc IPSEC_ESP: 192.168.1.2 -> 192.168.1.1 tos 0x00, ttl 253, length 1064, checksum 0x3650 fragment id 0x0000 00:01:57:914915: ip4-input-no-checksum IPSEC_ESP: 192.168.1.2 -> 192.168.1.1 tos 0x00, ttl 253, length 1064, checksum 0x3650 fragment id 0x0000 00:01:57:914924: ipsec-input-ip4 esp: sa_id 20 spi 1000 seq 13544422 00:01:57:914925: dpdk-esp-decrypt cipher aes-cbc-128 auth sha1-96 ESP: spi 1000, seq 13544422 00:01:57:914928: dpdk-crypto-input status: auth failed 00:01:57:914944: error-drop ip4-input: valid ip4 packets In the same trace successful case is as below: acket 7 00:01:57:914904: dpdk-input TenGigabitEtherneta/0/0 rx queue 0 buffer 0x1b8af: current data 14, length 1064, free-list 0, clone-count 0, totlen-nifb 0, trace 0x6 l4-cksum-computed l4-cksum-correct l2-hdr-offset 0 l3-hdr-offset 14 PKT MBUF: port 0, nb_segs 1, pkt_len 1078 buf_len 2176, data_len 1078, ol_flags 0x180, data_off 128, phys_addr 0x364e2c40 packet_type 0x11 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0 Packet Offload Flags PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid Packet Types RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers IP4: 14:02:ec:70:ae:55 -> 14:02:ec:72:ee:dc IPSEC_ESP: 192.168.1.2 -> 192.168.1.1 tos 0x00, ttl 253, length 1064, checksum 0x3650 fragment id 0x0000 00:01:57:914915: ip4-input-no-checksum IPSEC_ESP: 192.168.1.2 -> 192.168.1.1 tos 0x00, ttl 253, length 1064, checksum 0x3650 fragment id 0x0000 00:01:57:914924: ipsec-input-ip4 esp: sa_id 20 spi 1000 seq 13544423 00:01:57:914925: dpdk-esp-decrypt cipher aes-cbc-128 auth sha1-96 ESP: spi 1000, seq 13544423 00:01:57:914928: dpdk-crypto-input status: success 00:01:57:914945: dpdk-esp-decrypt-post cipher aes-cbc-128 auth sha1-96 TCP: 192.168.100.3 -> 192.168.100.2 tos 0x00, ttl 3, length 1006, checksum 0x04a7 fragment id 0x660d TCP: 1234 -> 5678 seq. 0x12345678 ack 0x12345690 flags 0x10 ACK, tcp header: 20 bytes window 8192, checksum 0xd8e8 00:01:57:914945: ip4-input-no-checksum TCP: 192.168.100.3 -> 192.168.100.2 tos 0x00, ttl 3, length 1006, checksum 0x04a7 fragment id 0x660d TCP: 1234 -> 5678 seq. 0x12345678 ack 0x12345690 flags 0x10 ACK, tcp header: 20 bytes window 8192, checksum 0xd8e8 00:01:57:914953: ip4-lookup fib 0 dpo-idx 1 flow hash: 0x00000000 TCP: 192.168.100.3 -> 192.168.100.2 tos 0x00, ttl 3, length 1006, checksum 0x04a7 fragment id 0x660d TCP: 1234 -> 5678 seq. 0x12345678 ack 0x12345690 flags 0x10 ACK, tcp header: 20 bytes window 8192, checksum 0xd8e8 00:01:57:914953: ip4-rewrite tx_sw_if_index 2 dpo-idx 1 : ipv4 via 192.168.100.2 TenGigabitEthernetc/0/0: 1402ec70ae6c1402ec70ae540800 flow hash: 0x00000000 00000000: 1402ec70ae6c1402ec70ae540800450003ee660d0000020605a7c0a86403c0a8 00000020: 640204d2162e123456781234569050102000d8e800007778797a3031 00:01:57:914953: TenGigabitEthernetc/0/0-output TenGigabitEthernetc/0/0 IP4: 14:02:ec:70:ae:54 -> 14:02:ec:70:ae:6c TCP: 192.168.100.3 -> 192.168.100.2 tos 0x00, ttl 2, length 1006, checksum 0x05a7 fragment id 0x660d TCP: 1234 -> 5678 seq. 0x12345678 ack 0x12345690 flags 0x10 ACK, tcp header: 20 bytes window 8192, checksum 0xd8e8 00:01:57:914953: TenGigabitEthernetc/0/0-tx TenGigabitEthernetc/0/0 tx queue 2 buffer 0x1b8af: current data 44, length 1020, free-list 0, clone-count 0, totlen-nifb 0, trace 0x6 l4-cksum-computed l4-cksum-correct l2-hdr-offset 0 l3-hdr-offset 14 PKT MBUF: port 0, nb_segs 1, pkt_len 1020 buf_len 2176, data_len 1020, ol_flags 0x180, data_off 172, phys_addr 0x364e2c40 packet_type 0x11 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0 Packet Offload Flags PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid Packet Types RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers IP4: 14:02:ec:70:ae:54 -> 14:02:ec:70:ae:6c TCP: 192.168.100.3 -> 192.168.100.2 tos 0x00, ttl 2, length 1006, checksum 0x05a7 fragment id 0x660d TCP: 1234 -> 5678 seq. 0x12345678 ack 0x12345690 flags 0x10 ACK, tcp header: 20 bytes window 8192, checksum 0xd8e8 Overall count is as below: vpp# show interface Name Idx State Counter Count TenGigabitEtherneta/0/0 1 up rx packets 82968621 rx bytes 89440173438 drops 10826164 ip4 155239708 TenGigabitEthernetc/0/0 2 up tx packets 72142447 tx bytes 73585295940 tx-error 128640 local0 0 down vpp# RULES: GW1: -sh-4.2# cat ipsec.commands set int ip address TenGigabitEthernetc/0/0 192.168.200.2/24 set int state TenGigabitEthernetc/0/0 up set ip arp TenGigabitEthernetc/0/0 192.168.100.2 14:02:ec:70:ae:6c set int ip address TenGigabitEtherneta/0/0 192.168.1.1/24 set int state TenGigabitEtherneta/0/0 up set ip arp TenGigabitEtherneta/0/0 192.168.1.2 14:02:EC:70:AE:55 ipsec sa add 10 spi 1001 esp tunnel-src 192.168.1.1 tunnel-dst 192.168.1.2 crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4339314b55523947594d6d3547666b45764e6a58 integ-alg sha1-96 ipsec sa add 20 spi 1000 esp tunnel-src 192.168.1.2 tunnel-dst 192.168.1.1 crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4339314b55523947594d6d3547666b45764e6a58 integ-alg sha1-96 ipsec spd add 1 set interface ipsec spd TenGigabitEtherneta/0/0 1 ipsec policy add spd 1 priority 100 inbound action bypass protocol 50 ipsec policy add spd 1 priority 100 outbound action bypass protocol 50 ipsec policy add spd 1 priority 10 outbound action protect sa 10 local-ip-range 192.168.100.2 - 192.168.100.2 remote-ip-range 192.168.100.3 - 192.168.100.3 ipsec policy add spd 1 priority 10 inbound action protect sa 20 local-ip-range 192.168.100.2 - 192.168.100.2 remote-ip-range 192.168.100.3 - 192.168.100.3 ip route add 192.168.100.3/32 via 192.168.1.2 TenGigabitEtherneta/0/0 ip route add 192.168.100.2/32 via TenGigabitEthernetc/0/0 -sh-4.2# -sh-4.2# cat ipsec.commands set int ip address TenGigabitEthernet9/0/1 192.168.200.3/24 set int state TenGigabitEthernet9/0/1 up set ip arp TenGigabitEthernet9/0/1 192.168.100.3 14:02:ec:70:ae:6d set int ip address TenGigabitEthernetb/0/1 192.168.1.2/24 set int state TenGigabitEthernetb/0/1 up set ip arp TenGigabitEthernetb/0/1 192.168.1.1 14:02:EC:72:EE:DC ipsec sa add 10 spi 1001 esp tunnel-src 192.168.1.1 tunnel-dst 192.168.1.2 crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4339314b55523947594d6d3547666b45764e6a58 integ-alg sha1-96 ipsec sa add 20 spi 1000 esp tunnel-src 192.168.1.2 tunnel-dst 192.168.1.1 crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4339314b55523947594d6d3547666b45764e6a58 integ-alg sha1-96 ipsec spd add 1 set interface ipsec spd TenGigabitEthernetb/0/1 1 ipsec policy add spd 1 priority 100 outbound action bypass protocol 50 ipsec policy add spd 1 priority 100 inbound action bypass protocol 50 ipsec policy add spd 1 priority 10 inbound action protect sa 10 local-ip-range 192.168.100.3 - 192.168.100.3 remote-ip-range 192.168.100.2 - 192.168.100.2 ipsec policy add spd 1 priority 10 outbound action protect sa 20 local-ip-range 192.168.100.3 - 192.168.100.3 remote-ip-range 192.168.100.2 - 192.168.100.2 ip route add 192.168.100.2/32 via 192.168.1.1 TenGigabitEthernetb/0/1 ip route add 192.168.100.3/32 via TenGigabitEthernet9/0/1 -sh-4.2# Regards Shashi
_______________________________________________ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev