You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We noticed that if there is a long period of inactivity in packet exchange within a TCP session, newly sent packets (also within this TCP session) do not reach the recipient. The packets are visible as outgoing on the source side but are absent on the other side. This leads to packet retransmissions (TCP retransmissions) and a prolonged period of session closure from the packet source (RTO). Meanwhile, the socket through which this session was established remains open.
Additionally, the debug logs of calico-node show the following messages: Updating/creating an entry in calico contrack.
Documented values of variables affecting the TCP session
Ability to modify these variables (within reasonable limits)
Close the network socket after the connection is terminated in Calico conntrack, or sent RST packets.
Steps to Reproduce (for bugs)
Deploy any clent/server appliance, establish tcp session and do not send network packets for 60 minutes.
After that all new outgoing network packets are drop inside calico conntrack
Context
Unpredictable behavior of applications during long-lived TCP sessions that do not use mechanisms like tcp_keepalive , gRPC pings, etc.
Your Environment
Kuberentes - 1.28.3
Calico with eBPF dataplane - v3.27, v3.28
Ubuntu 20.04 kernel 5.15.0-67-generic
The text was updated successfully, but these errors were encountered:
Would be great to have configuration for those, I've also considered defaulting to the values used in sysctls so we pick up the values that would be used by Linux.
That said, when running on a platform like k8s where pods are ephemeral, I strongly recommend using keepalives of some kind. It's always possible for traffic to get lost somewhere if a node or network element fails. If you can't detect that end-to-end then eventually you'll hit this problem.
We could try to do policy for mid-flow packets that have lost their conntrack entry, bu that depends on the original sender to be the one that sends the next packet (otherwise it'll look like a new flow in the opposite direction, which may have different policy).
Expected Behavior
Current Behavior
We noticed that if there is a long period of inactivity in packet exchange within a TCP session, newly sent packets (also within this TCP session) do not reach the recipient. The packets are visible as outgoing on the source side but are absent on the other side. This leads to packet retransmissions (TCP retransmissions) and a prolonged period of session closure from the packet source (RTO). Meanwhile, the socket through which this session was established remains open.
Additionally, the debug logs of calico-node show the following messages:
Updating/creating an entry in calico contrack.
Delete map records from calico cntrack
After analyzing the code, we found variables that determine the time after which an idle TCP session is terminated.
TCPEstablished
calico/felix/bpf/conntrack/cleanup.go
Line 135 in e15aecc
https://github.com/projectcalico/calico/blob/fbd2c734ddefc99d5dca5540f70e49ca43e22b64/felix/bpf/conntrack/cleanup.go#L48C3-L48C17
Possible Solution
Steps to Reproduce (for bugs)
Deploy any clent/server appliance, establish tcp session and do not send network packets for 60 minutes.
After that all new outgoing network packets are drop inside calico conntrack
Context
Unpredictable behavior of applications during long-lived TCP sessions that do not use mechanisms like tcp_keepalive , gRPC pings, etc.
Your Environment
The text was updated successfully, but these errors were encountered: