What do transmit errors on Linux IPsec virtual tunnel interfaces indicate?

Our monitoring system is indicating transmit errors on the IPsec VTIs on our Vyatta Core routers when they are under high load. They only appear fairly occasionally, and don't appear to seriously impact performance (we're getting pretty close to 100 Mbps on a 100 Mbps link), but there seems to be very little information out there about what constitutes a transmit error on a VTI. I'm sure the information exists in the kernel sources, but having no kernel development experience, it could take me days or weeks to understand it enough to answer the question. Where can I find more information about this?


Solution 1:

The transmit errors on VTI interfaces (and other tunneling interfaces) have special meanings. Unfortunately it's poorly documented and I've looked into the source code of kernel to investigate this (see the /net/ipv4/ip_vti.c file).

To list the categories of TX errors use the ip -s -s -d link show [ dev <vti-iface> ] command.

TX carrier errors and troubleshooting:

  • No suitable route was found - check it with the ip route get <dst> command
  • No suitable policy was found - check the policies with the ip xfrm policy get ... command
  • No suitable SA was found - check the SA status with the ip xfrm state get ... command
  • The SA isn't in the tunnel mode - check the SA mode with the ip xfrm state show or the ip xfrm state get ... commands

TX collision errors:

  • Routing loop found - after transformation a packet should be sent through the same VTI interface - check the SA configuration and the routing configuration.