Network connectivity issues when accessing a container on from Tanzu worker
search cancel

Network connectivity issues when accessing a container on from Tanzu worker

book

Article ID: 317767

calendar_today

Updated On:

Products

VMware NSX VMware Container Networking with Antrea

Issue/Introduction

  • NSX-T release earlier than 3.2.1.
  • Container cluster with Tanzu.
  • Container Network Interface (CNI) is Antrea.
  • Significant latency is introduced on specific TCP traffic sent by the worker node, this may cause timeout of TCP transaction. 
  • There will be a high number of TCP retransmissions in the impacted TCP stream.
  • ESXi host's vmkernel.log logging may show logs similar to below:
2022-01-18T14:29:15.352Z cpu49:104388484)NSX_EncapDoInnerOffload:391:[nsx@6876 comp="nsx-esx" errorCode="ESX34"]Failed to checksum segment: Read only

Environment

VMware NSX-T Data Center

Cause

This issue occurs due to a blocked checksum calculation for the TCP segment, due to a read only packet buffer descriptor, which is preventing checksum offload for the inner packet.

Resolution

This issue is resolved in NSX-T Data Center 3.2.1.

Workaround:

  1. If Antrea is to be used, you can disable Tx segmentation on the worker:

    ethtool -K eth0 tx-udp_tnl-segmentation off && ethtool -K eth0 tx-udp_tnl-csum-segmentation off

  2. If Antrea is not required, you can use Calico as the CNI.

Additional Information

Impact/Risks:
Latency introduced on TCP traffic, or TCP stream may time out.

Powered by Wolken Software