Symptoms

Traffic suddenly stops passing on platforms in vCMP mode when SYN-cookie mode is triggered. Occasionally, under HW-SYN-Cookie mode, HW-SYN-Cookie validation can fail, which triggers the software SYN-Cookie procedure, which does succeed. Under vCMP guest, you might notice hwalgo_accept increasing under TMCTL table epva_hwvipstat. If this packet's destination is the local high-layer TCP stack, there is no functional impact. Otherwise, there might be a performance impact. Under vCMP mirroring, however, the packet (failed to validate by FPGA), is sent to the remote TMM, which does not have the correct secret to validate, which causes the connection issue.

Impact

Under vCMP guest, you might notice hwalgo_accept increased under TMCTL table epva_hwvipstat, which, if under HW-SYN-Cookie mode, everything will be validated automatically by FPGA instead. You might also notice hwalgo_invalid, if the FPGA used the updated secret for SYN-Cookie generation from the hypervisor, and when guest and hypervisor secret index overlaps. Even though guest and hypervisor secret index might not be the same, the history secret might be updated by hypervisor, which might trigger additional hwalgo_accept. Under vCMP mirroring, however, the packet (failed to validate by FPGA), is sent to the remote TMM, which does not have the correct secret to validate, so the error rate could be higher.

Conditions

vCMP provisioning setup.

Workaround

On the vCMP hypervisor, run the following commands. 1. echo "EPVA::enable_secret_diag true" > /config/tmm_init.tcl. 2. bigstart restart TMM. On a multiple blade system, you must run these commands on all blades.

Fix Information

Hypervisor no longer replaces vCMP guest SYN-Cookie secrets.

Behavior Change