Hi Filip Simple NAT.
Regards Yurii ________________________________ От: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) <fiva...@cisco.com> Отправлено: 2 декабря 2019 г. 13:21:26 Кому: Юрий Иванов <format_...@outlook.com>; vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> Копия: Ole Troan (otroan) <otr...@cisco.com> Тема: RE: [vpp-dev] NAT stops processing for big amount of users Hi Yurii, Are you using endpoint-dependent nat or are you using simple NAT ? Best regards, Filip [https://www.cisco.com/c/dam/m/en_us/signaturetool/images/logo/Cisco_Logo_no_TM_Cisco_Blue-RGB_43px.png] Filip Varga Engineer - Software fiva...@cisco.com<mailto:fiva...@cisco.com> Tel: Cisco Systems, Inc. Slovakia cisco.com [http://www.cisco.com/assets/swa/img/thinkbeforeyouprint.gif] Think before you print. This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. Please click here<http://www.cisco.com/c/en/us/about/legal/terms-sale-software-license-agreement/company-registration-information.html> for Company Registration Information. From: Юрий Иванов <format_...@outlook.com> Sent: Monday, December 2, 2019 8:17 AM To: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) <fiva...@cisco.com>; vpp-dev@lists.fd.io Cc: Ole Troan (otroan) <otr...@cisco.com> Subject: RE: [vpp-dev] NAT stops processing for big amount of users Hi Fillip, I've see you've created a patch, so I try to test it out today. I've build it after applying your code so me version now is: vpp# show version vpp v20.01-rc0~737-g4c82b6f42 built by root on nat-1 at Sat nov 30 11:47:25 EET 2019 After that move my private address traffic to my new vpp nat server. As the rusult VPP stops processing traffic immediately. The configuration is very strightforward with default vpp.conf: set int ip address TenGigabitEthernet1/0/0 10.0.100.1/31 set int ip address TenGigabitEthernet1/0/1 19.246.159.1/25 set int state TenGigabitEthernet1/0/0 up set int state TenGigabitEthernet1/0/1 up ip route add 0.0.0.0/0 via 19.246.159.126 TenGigabitEthernet1/0/1 ip route add 10.0.0.0/8 via 10.0.100.0 TenGigabitEthernet1/0/0 set int nat44 in TenGigabitEthernet1/0/0 out TenGigabitEthernet1/0/1 nat44 add address 19.246.159.5 - 19.246.159.10 There are not many output addresses but I think for testing purposes it will be enough. vpp# show nat44 sessions NAT44 sessions: -------- thread 0 vpp_main: 10240 sessions -------- 10.9.1.19: 10 dynamic translations, 0 static translations 10.71.0.129: 28 dynamic translations, 0 static translations 10.83.0.196: 4 dynamic translations, 0 static translations 10.17.0.127: 12 dynamic translations, 0 static translations 10.79.0.119: 9 dynamic translations, 0 static translations ... -- more -- (1-30/1055) vpp# show nat timeouts udp timeout: 300sec tcp-established timeout: 7440sec tcp-transitory timeout: 240sec icmp timeout: 60sec show logging shows nothing interesting. Strange but only one out address has active counters. vpp# sh nat44 addresses NAT44 pool addresses: 19.246.159.5 tenant VRF independent 0 busy udp ports 0 busy tcp ports 0 busy icmp ports 19.246.159.6 tenant VRF independent 0 busy udp ports 0 busy tcp ports 0 busy icmp ports 19.246.159.7 tenant VRF independent 0 busy udp ports 0 busy tcp ports 0 busy icmp ports 19.246.159.8 tenant VRF independent 0 busy udp ports 0 busy tcp ports 0 busy icmp ports 19.246.159.9 tenant VRF independent 0 busy udp ports 0 busy tcp ports 0 busy icmp ports 19.246.159.10 tenant VRF independent 1350 busy udp ports 8801 busy tcp ports 89 busy icmp ports Port utilization in attached image. ________________________________ От: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> от имени Юрий Иванов <format_...@outlook.com<mailto:format_...@outlook.com>> Отправлено: 27 ноября 2019 г. 16:22 Кому: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) <fiva...@cisco.com<mailto:fiva...@cisco.com>>; vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> Копия: Ole Troan (otroan) <otr...@cisco.com<mailto:otr...@cisco.com>> Тема: Re: [vpp-dev] NAT stops processing for big amount of users Thanks, I'll wait for your fix. I think using NAT with VPP will be mo' better than iptables/nftables. Best regards, Yurii ________________________________ От: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) <fiva...@cisco.com<mailto:fiva...@cisco.com>> Отправлено: 27 ноября 2019 г. 12:39 Кому: format_...@outlook.com<mailto:format_...@outlook.com> <format_...@outlook.com<mailto:format_...@outlook.com>>; vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> Копия: Ole Troan (otroan) <otr...@cisco.com<mailto:otr...@cisco.com>> Тема: RE: [vpp-dev] NAT stops processing for big amount of users Hi, The issue is related to a bug that affects fast session creation on NAT startup. Basically if network eats all NAT sessions translation_buckets (defaults to 1024) * 10 nat session recyclation stops working. I am about to finish path that should solve this issue. https://jira.fd.io/browse/VPP-1795 Best regards, Filip [https://www.cisco.com/c/dam/m/en_us/signaturetool/images/logo/Cisco_Logo_no_TM_Cisco_Blue-RGB_43px.png] Filip Varga Engineer - Software fiva...@cisco.com<mailto:fiva...@cisco.com> Tel: Cisco Systems, Inc. Slovakia cisco.com [http://www.cisco.com/assets/swa/img/thinkbeforeyouprint.gif] Think before you print. This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. Please click here<http://www.cisco.com/c/en/us/about/legal/terms-sale-software-license-agreement/company-registration-information.html> for Company Registration Information. From: Ole Troan <otr...@cisco.com<mailto:otr...@cisco.com>> Sent: Tuesday, November 26, 2019 9:42 AM To: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) <fiva...@cisco.com<mailto:fiva...@cisco.com>> Subject: Fwd: [vpp-dev] NAT stops processing for big amount of users Hi Filip, Mind answering this one? Cheers, Ole Begin forwarded message: From: Юрий Иванов <format_...@outlook.com<mailto:format_...@outlook.com>> Subject: [vpp-dev] NAT stops processing for big amount of users Date: 26 November 2019 at 09:17:52 CET To: "vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>" <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> Hi I'm try to use VPP NAT feature. For several users it works fine but when I try to NAT more (about 5 000 users and more) it simply stops processing about several seconds. Strange thing than such load is processed with iptables without problems. VPP Process is on and default log file shown nothing. When I remove load from VPP server and restart VPP service it starts working again for very small amount of users (about 10 users). How can I somehow troubleshoot this issue i.e. enabling debug config? My setup use default vpp.conf parameters because it looks reasonable and NAT config build with the help of official wiki. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#14692): https://lists.fd.io/g/vpp-dev/message/14692 Mute This Topic: https://lists.fd.io/mt/61956101/675193 Group Owner: vpp-dev+ow...@lists.fd.io<mailto:vpp-dev+ow...@lists.fd.io> Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [otr...@employees.org<mailto:otr...@employees.org>] -=-=-=-=-=-=-=-=-=-=-=-
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#14747): https://lists.fd.io/g/vpp-dev/message/14747 Mute This Topic: https://lists.fd.io/mt/61956101/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
