[vpp-dev] nat44-out2in no translation with multiple tenants #nat #nsh

Cipher Chen Thu, 14 Nov 2019 07:05:05 -0800

Hi all,

I'm testing multiple tenants using nat44-snat, and turns out tenants might be 
mixed.


Assuming two tenants 200 (fib index 1) and 100 (fib index 2):

vpp# show ip fib table 100
ipv4-VRF:100, fib_index:2, flow hash:[src dst sport dport proto ] 
locks:[src:CLI:7, src:plugin-low:1, src:adjacency:3, ]

creating nsh decapsultion tep (nsp: 14000, nsi: 255):

[VPP] create nsh map nsp 14000 nsi 255 mapped-nsp 14000 mapped-nsi 255 
nsh_action pop encap-none 2 0
[VPP] set interface ip table nsh_tunnel6 100
[VPP] set interface nat44 out nsh_tunnel6

this nsh_tunnel6's sw_if_index is 18:

vpp# show interface nsh_tunnel6
Name               Idx    State  MTU (L3/IP4/IP6/MPLS)     Counter          
Count
nsh_tunnel6                       18     up           0/0/0/0       drops       
                  59
ip4                           59
vpp#

but all these turn out that snat out2in goes into wrong vrf:

00:00:29:028228: vxlan4-gpe-input
VXLAN-GPE: tunnel 0 next 5 error 0
00:00:29:028229: nsh-input

nsh ver 0 ttl 3 len 6 (24 bytes) md_type 1 next_protocol 3
service path 14000 service index 255
c1 0 c2 0 c3 0 c4 0

00:00:29:028230: ethernet-input
IP4: ec:f4:bb:c4:ae:80 -> 52:54:00:00:02:00
00:00:29:028230: ip4-input
ICMP: 10.255.1.200 -> 10.255.1.211
tos 0x00, ttl 64, length 84, checksum 0x5c1a
fragment id 0x04f7
ICMP echo_reply checksum 0x31cb
*# HERE, it complains that no session found when this package decapsulated from 
nsh_tunnel6.*
00:00:29:028231: nat44-out2in
NAT44_OUT2IN: sw_if_index 18, next index 0, session index -1
00:00:29:028233: error-drop
rx:nsh_tunnel6
00:00:29:028234: drop
nat44-out2in: no translation

and also, nat44 detail looks weired: i2o works in vrf100-fib2, this is 
expected, but *out2in works in vrf200-fib1*.

vpp# show nat44 sessions detail
NAT44 sessions:
-------- thread 0 vpp_main: 1 sessions --------
192.168.1.1: 1 dynamic translations, 0 static translations
i2o 192.168.1.1 proto icmp port 24403 fib 2
o2i 10.255.1.211 proto icmp port 16253 fib 1
index 0
last heard 90.61
total pkts 85, total bytes 7140
dynamic translation

vpp#

To the best of my knowledge, nsh_tunnel6 was set into vrf100, and decapsulated 
into fib2,
so out2in should also go into fib2 here. Not figure out what cause o2i goes 
into fib1 instead.

Any suggestion would be helpful. Thanks.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#14599): https://lists.fd.io/g/vpp-dev/message/14599
Mute This Topic: https://lists.fd.io/mt/57703484/21656
Mute #nsh: https://lists.fd.io/mk?hashtag=nsh&subid=1480452
Mute #nat: https://lists.fd.io/mk?hashtag=nat&subid=1480452
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[vpp-dev] nat44-out2in no translation with multiple tenants #nat #nsh

Reply via email to