- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Доброго дня!
Имеется сервер HPE-DL325 Gen10+ В котором установлены 2 сетевых адаптера:
Intel E810-CQDA2 Ethernet 100Gb 2-port QSFP28 (E810CQDA2BLK) SN 978323 fw.ver 2.15
Intel E810-CQDA1 Ethernet 100Gb 1-port QSFP28 (E810CQDA1BLK)SN 978313 fw.ver 2.30
На сервере установлена ОС CentOS8
Сквозь адаптеры до операционной системы сервера не доходят пакеты GRE (47) использующиеся PPTP протоколом.
Снимали pcap с коммутатора - пакет с порта отправляется. В драйвер сетевой карты ( ни в DPDK ни в ice ) они уже не попадают. Анализировали как софтом, использующим DPDK - в нашем случае это fastdpi от ВАС Экспертс - так и tcpdump'ом.
TCP1723 - проходят нормально, GRE - нет.
Устанавливали в этот же сервер, на место этих адаптеров, адаптеры другого типа - Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection (rev 01) - проблем нет.
Сможете подсказать, что нужно сделать, чтобы адаптеры заработали нормально??
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Добрый день!
Хорошо, ждем результатов. Без решения этой проблемы мы не можем запустить DPI в работу.
С уважением, Роман.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Roman,
How are you doing? I hope this message finds you well!
We sincerely apologize for the inconvenience that this has brought you. Our engineers are still investigating this request and we hope you don't mind giving us more time in fixing the issue. Rest assured that we will give you an update as soon as we heard from them but no later than 2-4 business days.
Best regards,
Crisselle C.
Intel® Customer Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Доброго дня!
Ожидаем решения проблемы.
С уважением, Роман.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Roman,
Thank you for the patience on this matter.
Based on pcap that you have attached/shared, the GRE version is set to 1 which is Enhanced GRE. This is the reason there is an error entry and gets rejected. – ice ddp package parser supports GRE version = 0. Enhanced GRE (GRE version = 1) is not supported.
As far as GRE is concerned we have exact same support in OS and Comms package, so enhanced GRE is not supported in comms package as well.
Engineering is looking into implementing this.
They would also like to verify with you if the above is in your setup.
Looking forward to your reply.
We will follow up after 3 business days in case we don't hear from you.
Best regards,
Crisselle C
Intel Customer Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Здравствуйте!
...
Based on pcap that you have attached/shared, the GRE version is set to 1 which is Enhanced GRE. This is the reason there is an error entry and gets rejected. – ice ddp package parser supports GRE version = 0. Enhanced GRE (GRE version = 1) is not supported.
...
Приведу пакет стандартного обмена PPTP протокола:
14:47:08.226142 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype IPv4 (0x0800), length 219: (tos 0x0, ttl 64, id 55567, offset 0, flags [none], proto GRE (47), length 205)
77.39.15.227 > 217.13.209.61: GREv1, Flags [key present, sequence# present, ack present], call 36585, seq 23, ack 19, proto PPP (0x880b), length 185
IP (0x0021), length 169: (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 165)
10.10.43.57.5678 > 255.255.255.255.5678: [udp sum ok] UDP, length 137
0x0000: 4500 00cd d90f 0000 402f 999d 4d27 0fe3 E.......@/..M'..
0x0010: d90d d13d 3081 880b 00a9 8ee9 0000 0017 ...=0...........
0x0020: 0000 0013 ff03 0021 4500 00a5 0000 0000 .......!E.......
0x0030: 4011 4506 0a0a 2b39 ffff ffff 162e 162e @.E...+9........
0x0040: 0091 734d 0200 0000 0005 0009 4e61 6769 ..sM........Nagi
0x0050: 6261 746f 7200 0700 0f36 2e34 372e 3820 bator....6.47.8.
0x0060: 2873 7461 626c 6529 0008 0008 4d69 6b72 (stable)....Mikr
0x0070: 6f54 696b 000a 0004 1b92 c100 000b 0009 oTik............
0x0080: 5943 3856 2d56 574b 3700 0c00 0b43 4352 YC8V-VWK7....CCR
0x0090: 3130 3136 2d31 3247 000e 0001 0100 0f00 1016-12G........
0x00a0: 10fe 8000 0000 0000 0000 0000 0000 0000 ................
0x00b0: 3300 1000 1070 7074 702d 636b 6174 3230 3....pptp-ckat20
0x00c0: 302d 7670 6e00 1100 040a 0a2b 39 0-vpn......+9
14:47:08.333819 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype IPv4 (0x0800), length 46: (tos 0x0, ttl 59, id 17194, offset 0, flags [none], proto GRE (47), length 32)
217.13.209.61 > 77.39.15.227: GREv1, Flags [key present, ack present], call 43775, ack 23, no-payload, proto PPP (0x880b), length 12
0x0000: 4500 0020 432a 0000 3b2f 3530 d90d d13d E...C*..;/50...=
0x0010: 4d27 0fe3 2081 880b 0000 aaff 0000 0017 M'..............
14:47:11.262946 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype IPv4 (0x0800), length 130: (tos 0x0, ttl 59, id 17195, offset 0, flags [none], proto GRE (47), length 116)
217.13.209.61 > 77.39.15.227: GREv1, Flags [key present, sequence# present, ack present], call 43775, seq 20, ack 23, proto PPP (0x880b), length 96
IP6 (0x0057), length 80: (hlim 1, next-header Options (0) payload length: 36) fe80::f0:9b27 > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 1 group record(s) [gaddr ff02::2 to_ex { }]
0x0000: 4500 0074 432b 0000 3b2f 34db d90d d13d E..tC+..;/4....=
0x0010: 4d27 0fe3 3081 880b 0050 aaff 0000 0014 M'..0....P......
0x0020: 0000 0017 ff03 0057 6000 0000 0024 0001 .......W`....$..
0x0030: fe80 0000 0000 0000 0000 0000 00f0 9b27 ...............'
0x0040: ff02 0000 0000 0000 0000 0000 0000 0016 ................
0x0050: 3a00 0502 0000 0100 8f00 d3f1 0000 0001 :...............
0x0060: 0400 0000 ff02 0000 0000 0000 0000 0000 ................
0x0070: 0000 0002 ....
Данную запись мы произвели тогда, когда впервые столкнулись с проблемой.
Сквозь наш старый DPI, с установленными 10GBe сетевыми адаптерами, эти пакеты проходят нормально. PPTP Туннель работает.
Сквозь новый DPI сервер, с E810 адаптерами, эти пакеты не проходят.
Прикладываю 4 PCAP файла, которые мы записывали в то время.
ckat80-20210531-client-1.pcap - запись с порта клиента через старый DPI
ckat80-20210531-server1.pcap - запись с порта PPTP сервера ( находится в нашей сети) одновременно с предыдущим.
ckat200-20210531-client-1.pcap - запись с порта клиента через новый сервер..
ckat200-20210531-server1.pcap - запись с порта PPTP сервера , одновременно с предыдущим.
В первых двух записях видно, что соединение установлено и есть обмен пакетами туннеля.
Во вторых двух записях видно, что GRE v1 пакеты и от клиента к серверу и обратно идут только в одном направлении. Обмена нет.
После чего мы и начали наши углубленные исследования.
Очень надеемся на вашу помощь в решении проблемы.
С уважением, Роман.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Roman,
Appreciate your swift response.
Please allow us to communicate your reply to our engineers. We will give you an update as soon as we heard from them but no later than 2-4 business days.
Thank you for your kind understanding.
Best regards,
Crisselle C.
Intel Customer Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Roman,
Good day!
Please be informed that we already re-escalated this request to our engineers. Rest assured that we will get back to you as soon as there is any findings but no later than 2-4 business days.
Thank you for your kind patience and stay safe!
Best regards,
Crisselle C.
Intel Customer Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Доброго дня!
С большим уже нетерпением ждем решения проблемы. Запустить DPI не можем уже четвертый месяц.
С уважением, Роман.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Roman,
We sincerely apologize for the delay on our update.
We already heard form our engineers and they would like to double check if you have any comments or need for further support after we shared the information about GRE version is set to 1 which is Enhanced GRE (not supported).
Looking forward to your reply.
We will follow up after 3 business days in case we don't receive a response.
Best regards,
Crisselle C.
Intel® Customer Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Добрый день!
Да, нам ОЧЕНЬ важна поддержка этого протокола. К сожалению, хоть он и не распространен, но он используется в PPTP протоколе. Который, в свою очередь, используется нашими клиентами. И повлиять на последнее мы никак не можем, поскольку таких клиентов не один и не два, а сотни. И мы просто потеряем этих клиентов, если наша система не будет пропускать пакеты GREv1.
Мы могли бы отказаться от использования карт с чипом Intel E810C, это было бы проще. Но, к сожалению, на данный момент, это единственная карта, с которой DPI протестирован и работает стабильно.
С уважением, Роман.
It is VERY important for us to support Enhanced GRE. Although it is not widespread, it is used in the PPTP protocol, which, in turn, is used by our clients. We have hundreds of such clients, not just 1 or 2. We will lose these clients if our system does not pass GREv1 packets.
С уважением, Роман.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Roman,
We really appreciate the update. We will cascade this information to our engineers and we will update you for any findings but no later than 2-4 business days. Always be safe.
Best regards,
Aldy C.
Intel Customer Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Доброго дня!
Нам ожидать решения проблемы, или отказываться от использования карт на E810C ? Если да, то сколько времени это займет?
С уважением, Роман.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Roman,
Please be advised that we are still checking with engineering regarding the mater. We do apologize for the delay and inconvenience this may have caused. Just a clarification request from our engineers, they would like to know if you are using a DPDK?
Looking forward to your reply.
We will make a follow up after 3 business days in case we do not receive a response.
Best regards,
Aldy C.
Intel Customer Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Aldy!
Yes, we use the adapter with the DPDK driver. We do not plan to use it with another driver.
It is VERY important for us that the adapter has the ability to pass all types of traffic. Or, at least, fix the current problem with GREv1 as quickly as possible.
I really hope for an early decision.
Best Regards, Roman.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Roman,
Thank you for your quick response. We already cascaded the information to our engineers and we will post another update in 2-4 business days. Always be safe.
Best regards,
Aldy C.
Intel Customer Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Доброго дня!
У меня уже нет времени на раздумья, поскольку данный баг тормозит запуск системы. Если бы не этот дефект, а с точки зрения пользователя это не что иное, как дефект, я запустил бы DPI еще в мае. А так - неделя ушла на точное определение источника проблемы, и вот уже более двух месяцев я с Вами переписываюсь.
Хочу добавить, что производитель ПО, из за этого дефекта, начал тестирование сетевых адаптеров mellanox. Через неделю нам дадут ответ о возможности использования адаптера Mellanox CONNECTX-5. Если до конца тестирования проблема с пропуском GREv1 не будет решена, мы вынуждены будем отказаться от использования адаптера на чипе Intel Е810С. Так как для анализа трафика карта, сама принимающая решение что пропустить, а что нет - не годится.
Также хочу добавить, что производитель ПО DPI будет вынужден отметить адаптер на чипе Intel E810С, как ограниченно пригодный к эксплуатации в данных системах.
С уважением, Роман.
Hi Aldy!
I don't have time to think, because this bug slows down the system startup. If it were not for this defect, and from the user's point of view it is nothing more than a defect, I would have launched DPI back in May. And so - it took a week to accurately determine the source of the problem, and for more than two months I have been corresponding with you. I would like to add that the software manufacturer, because of this defect, began testing Mellanox network adapters. In a week we will be given an answer about the possibility of using the Mellanox CONNECTX-5 adapter. If by the end of testing the problem with skipping GREv1 is not resolved, we will have to abandon the use of the adapter on the Intel E810C chip. Since for traffic analysis, a map that decides what to skip and what not is not suitable. I would also like to add that the manufacturer of the DPI software will be forced to mark the adapter on the Intel E810C chip as being of limited use in these systems.
Best Regards, Roman.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Roman,
We acknowledge the latest information that you have provided and we sincerely do apologize for any inconvenience cause. Rest assured that we will inform our engineers about this. Due to complexity of the issue, they may need some more time but I will update you again in 2 to 4 days.
Sincerely,
Aldy C.
Intel Customer Support,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Roman,
Please be advised that our engineering team is in the process of submitting the necessary requirements in order to get support added for GRE version = 1, which is Enhanced GRE to resolve the issue. It may take some time and we do apologize for any inconvenience caused. Rest assured that we will get back to you as soon we have updates but no later than 2-4 business days.
Thank you for your kind patience and stay safe!
Best regards,
Aldy C.
Intel Customer Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Roman,
Please be advised that we are still waiting an update. It may take some time but rest assured that we are monitoring this request. We will get back to you as soon we have updates but no later than 3-5 business days.
Thank you for your kind patience and stay safe!
Best regards,
Aldy C.
Intel Customer Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Доброго дня!
Предполагаю, что сегодня ответ будет такой же.. В стиле "пожалуйста подождите еще"..
Ожидание проходит в тестировании сетевого адаптера Mellanox. Предварительные результаты - положительные. Кроме того, что с с адаптером mellanox нет проблем с протоколами, серьезно снизилась нагрузка на центральный процессор. Кроме того стала равномернее распределяться нагрузка между ядрами процессора. Нет проблем с очередями. В общем прихожу к выводу, что адаптер на чипсете Itel E810C действительно не пригоден к работе с системами анализа трафика.
В качестве решения данного вопроса - совет только один полностью отказаться от сетевого адаптера интел, заменив его на адаптер Mellanox.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Roman,
First and foremost, we do apologize for any inconvenience caused but rest assured that we will cascade your update to our engineers. Since you are planning to use Mellanox network adapters, would you like to close this request and not continue the thread anymore? But if not, you are most welcome to keep it open to receive update from us.
Thank you very much and again, apology for any inconvenience caused.
We look forward to hearing from you soon. Should we not hear from you, We will make a followup again after 2 to 3 days.
Sincerely,
Aldy C.
Intel Customer Support
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page