TCP sessions fail over GENEVE overlay due to TCP CHECKSUM INCORRECT errors
Article ID: 385625
Updated On:
Products
Issue/Introduction
- TCP sessions to specific virtual machines fail to complete when routed over a Generic Network Virtualization Encapsulation (GENEVE) overlay.
- Performance degradation may be seen when utilizing network offloading.
- Packet capture may show the client re-sending
SYN/ACKpackets. - Packet capture shows some encapsulated packets have a non-zero padding and/or trailer for some packets.
- Packet capture contains a
[TCP CHECKSUM INCORRECT]error for packets that have non-zero padding and/or trailer (e.g. the above referencedACKpackets) - This issue may be seen only when VMs are on different hosts, but not seen when they are on the same host.
Environment
- VMware vSphere ESXi
- VMware NSX
Cause
The server VM's Guest OS is padding the Ethernet frame with a non-zero trailer.
When the inner TCP checksum calculation includes this non-zero trailer, the physical NIC's hardware Checksum Offload (CSO) fails to calculate the correct checksum for the GENEVE-encapsulated packet.
The receiving end identifies the bad checksum and drops the packet, causing spurious TCP retransmissions.
Resolution
In VMware Cloud Foundation (VCF) 9.0.2, to avoid checksum errors from non-zero trailers, these packets will be handled using software offloading instead of hardware offloading.
Workaround: To work around this issue on older versions, configure the ESXi host to perform checksum calculations via software instead of relying on hardware offload for the affected physical adapters:
Log in to the affected ESXi host via SSH.
Enable software-based IPv4 checksum offload for the specific
vmnicsending GENEVE traffic, need to run the below command from the root shell of esxi host:esxcli network nic software set --ipv4cso=1 -n vmnic# Note: Replace vmnic# with the actual uplink interfaceVerify the change by ensuring
IPv4 CSOis set toon:esxcli network nic software list
Additional Information
Feedback
