Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1842
Views
0
Helpful
1
Replies

AWS 1000v not passing fragmented UDP

Sysadmin_Telogis
Level 1
Level 1

‎11-23-2015 02:13 PM - edited ‎03-12-2019 07:20 AM

I am trying to forward fragmented UDP packets using an AWS 1000v instance from other EC2 instances in the same VPC, but they appear to be dropped on the internal virtual Etherent interface on the router.

This also applies when pinging the virtual router ethernet IP with large fragmented ICMPs

It would appear that the 'MaxTu' drop count is increasing with every packet that is larger than the MTU.

sh platform hardware qfp active statistics drop
-------------------------------------------------------------------------
Global Drop Stats Packets Octets
-------------------------------------------------------------------------
MaxTu                      6        18784

The interface config is as below

interface GigabitEthernet1
description Internet
ip address dhcp
ip nat outside
ip access-group INTERNAL-ACCESS in
negotiation auto
ip virtual-reassembly
!

Amazon support had this to say:

Thank you for getting back to us and clarifying your issue here!

I have reviewed the details of the case and my understanding so far is you are seeing unexpected behavior on a Cisco CSR1000V instance acting as a router/gateway for your VPC in regards to the fragmentation behavior when packets reaching the Cisco CSR1000V instance interfaces without the "Don't Fragment" bit set, the instance doesn't perform the fragmentation.

I was able to test this behavior with icmp traffic and replicate the same issue.

Sending packets with DF bit to 0 and size larger than the MTU, will result on not receiving these in the 'debug ip' or capture on the Cisco CSR1000V instance.

Packets with a smaller size than the MTU were received just fine.

Increasing the MTU on the Cisco CSR1000V instance to 9001 resulted in seeing the packets just fine.

To get another data point, I was able to replicate the same behavior when attempting to send traffic through the router: instance <-> CSR <-> VPN <-> instance in another VPC Now to understand if this is related to AWS EC2 service or the Cisco IOS XE Software, the fact that changing the MTU was making the packets reach the interface was a valid data point.

My version was:

Version 03.14.00.S - Standard Support Release Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(1)S, RELEASE SOFTWARE (fc5)

Also, I was able to test run the following command to see how many dropped packets are incremented:

#sh platform hardware qfp active statistics drop

-------------------------------------------------------------------------

Global Drop Stats                      Packets Octets

-------------------------------------------------------------------------

Disabled                                     10          776

MaxTu                                    1484  2436728

UnconfiguredIpv6Fia                   9          690

This is a sample from my test environment and the interesting line is the one from "Global Drop Stats " -> MaxTu 1484 2436728 Each time was sending packets with the size larger than the MTU, it will increment.

This makes me assume the issue is strictly related to the way Cisco CSR1000v is handling fragmentation.

I would suggest to open a case with Cisco for further investigation of this issue.

Please let us know what is the outcome of their investigation and don't hesitate to contact us if you have any questions or concerns! 

 

5 people had this problem
Labels:
0 Helpful
1 Reply 1

sullivanr6@gmail.com
Level 1
Level 1

‎10-17-2017 02:20 PM - edited ‎10-17-2017 04:21 PM

change your EC2 (instance type) size... from m4.large => m4.2xlarge as an example

0 Helpful
Customers Also Viewed These Support Documents