Loadbalancer NLB Target Group health checks failing since upgrade to v1.16.0

[okamosy]

Is there an existing issue for this?

• I have searched the existing issues

Version

higher than v1.16.0 and lower than v1.17.0

What happened?

I am running a cluster in AWS EKS with three nodes using the Ingress Controller to manage a network load balancer within AWS. After upgrading to 1.16.0, all health checks on the target groups began to fail. Strangely, replacing a node would allow the checks on port 80 for the new instance to return healthy, at least until the Cilium DS is restarted.

While troubleshooting the issue, I noticed that cilium status would periodically return the following error:

controller node-neighbor-link is failing since 4s (2x): unable to determine next hop IPv4 address for eth1 (<node_ip>): remote node IP is non-routable
unable to determine next hop IPv4 address for eth2 (<node_ip>): remote node IP is non-routable
unable to determine next hop IPv4 address for eth3 (<node_ip>): remote node IP is non-routable

I exec'd into the pod reporting this and ran cilium-dbg status and only thing of note was this line:

Modules Health: Stopped(0) Degraded(3) OK(148)

Running cilium-dbg status --verbose showed that node-manager was degraded with the message Failed node neighbor link update. I have not been able to determine if the two issues are connected, but I have stripped down our values.yaml to the bare minimum of settings in order to see if our configuration is at fault, but have not been able to restore the health checks.

How can we reproduce the issue?

1. Install Cilium with the following values.yaml file:

egressMasqueradeInterfaces: eth0
eni:
  awsReleaseExcessIPs: true
  enabled: true
envoy:
  enabled: true
ingressController:
  enableProxyProtocol: false
  enabled: true
  loadbalancerMode: shared
  service:
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-alpn-policy: HTTP2Preferred
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
      service.beta.kubernetes.io/aws-load-balancer-internal: "true"
      service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <ssl-cert-arn>
      service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: ELBSecurityPolicy-TLS13-1-2-2001-06
      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
      service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: preserve_client_ip.enabled=false
      service.beta.kubernetes.io/aws-load-balancer-type: nlb
ipam:
  mode: eni
ipv4NativeRoutingCIDR: <CIDR>
k8sServiceHost: <eks-endpoint>
k8sServicePort: 443
kubeProxyReplacement: true
routingMode: native

Cilium Version

v1.16.0

Kernel Version

5.10.219-208.866.amzn2.x86_64

Kubernetes Version

v1.29.4-eks-036c24b

Regression

v1.15.6

Sysdump

No response

Relevant log output

No response

Anything else?

No response

Cilium Users Document

• Are you a user of Cilium? Please add yourself to the Users doc

Code of Conduct

• I agree to follow this project's Code of Conduct

[rmostdvb]

We run into a similar issue. We have connected to the nodes to see if the ports are listening turns out in our case the ports are not listening. Still looking for a fix though.

On the new release:
Using Cilium 1.16.0, Bottlerocket v1.20.4 and kubernetes v1.28

[root@admin]# curl -v localhost:30443
* Uses proxy env variable no_proxy == 'localhost,127.0.0.1,<redacted>.eks.amazonaws.com,.cluster.local'
*   Trying 127.0.0.1:30443...
* Immediate connect fail for 127.0.0.1: Operation not permitted
*   Trying [::1]:30443...
* connect to ::1 port 30443 failed: Connection refused
* Failed to connect to localhost port 30443 after 0 ms: Couldn't connect to server
* Closing connection
curl: (7) Failed to connect to localhost port 30443 after 0 ms: Couldn't connect to server

On the old release:
Using Cilium 1.15.7, Bottlerocket v1.20.4 and kubernetes v1.28

[root@admin]# curl -v localhost:30443
* Uses proxy env variable no_proxy == 'localhost,127.0.0.1,<redacted>.eks.amazonaws.com,.cluster.local'
*   Trying 127.0.0.1:30443...
* Connected to localhost (127.0.0.1) port 30443
> GET / HTTP/1.1
> Host: localhost:30443
> User-Agent: curl/8.3.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< date: Tue, 30 Jul 2024 14:55:18 GMT
< server: envoy
< content-length: 0
<
* Connection #0 to host localhost left intact

[ridwansswnto]

Have you tried changing the policy enforcement mode? currently I'm using the policy enforcement default the instance is not accessible for its NodePort, I tried changing it to never and the instance is accessible for its NodePort again and the NLB is healthy.

enable-policy                                     never

hi @ridwansswnto,
I tested your solution, but it did not change the behavior, the targets are still Unhealthy. Can you elaborate a bit more on your current setup?

Our setup is:
with the spec mentioned by @rmdvb
Upgrade from cilium v1.15.7 to v1.16.0, and the preflights are healthy.
Cilium 1.16.0, Bottlerocket v1.20.4 and kubernetes v1.28

# sanitized values.yaml file
cilium:
  bpf:
    masquerade: true
  kubeProxyReplacement: "true"
  ipam:
    operator:
      clusterPoolIPv4PodCIDRList: [<cidrlist>]
  cni:
    install: true
    chainingMode: none
  envoyConfig:
    enabled: false
  ingressController:
    enabled: true
    loadbalancerMode: "shared"
    service:
      name: cilium-ingress
      annotations:
        service.beta.kubernetes.io/aws-load-balancer-type: external
        service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
        service.beta.kubernetes.io/aws-load-balancer-scheme: internal
        service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
        service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: tcp
        service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: traffic-port
        service.beta.kubernetes.io/aws-load-balancer-healthcheck-healthy-threshold: "2"
        service.beta.kubernetes.io/aws-load-balancer-healthcheck-unhealthy-threshold: "2"
        service.beta.kubernetes.io/aws-load-balancer-healthcheck-timeout: "5"
        service.beta.kubernetes.io/aws-load-balancer-healthcheck-interval: "5"
        service.beta.kubernetes.io/aws-load-balancer-attributes: "load_balancing.cross_zone.enabled=false"
        service.beta.kubernetes.io/load-balancer-source-ranges: "<source-ranges>"
        service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: "deregistration_delay.timeout_seconds=60,deregistration_delay.connection_termination.enabled=true,preserve_client_ip.enabled=true"
        service.beta.kubernetes.io/aws-load-balancer-subnets: "<lb-subnets>"
      type: LoadBalancer
      insecureNodePort: 30080
      secureNodePort : 30443
  eni:
    enabled: false
    updateEC2AdapterLimitViaAPI: false
  policyEnforcementMode: "always"
  policyAuditMode: true
  envoy:
    enabled: false
  tunnelProtocol: "vxlan"

I think I might have found the solution to this problem @okamosy ;
bpf.enableTCX=false should be set to the values.yaml file when the kernel version is lower than 6.6.
This was stated in the upgrade-notes https://docs.cilium.io/en/stable/operations/upgrade/.

In our case, the kernel version was 6.1.. I needed to restart the nodes to have this setting propagated.
Will do some more investigation on this.

[okamosy]

I think I might have found the solution to this problem @okamosy ; bpf.enableTCX=false should be set to the values.yaml file when the kernel version is lower than 6.6. This was stated in the upgrade-notes https://docs.cilium.io/en/stable/operations/upgrade/.

In our case, the kernel version was 6.1.. I needed to restart the nodes to have this setting propagated. Will do some more investigation on this.

Thanks for this. I've tried it, and I still get the error about Failed node neighbor link update between nodes. I will run some more tests in the morning to see if I can just ignore those messages, but I think I've still running into some issue.

I think I might have found the solution to this problem @okamosy ; bpf.enableTCX=false should be set to the values.yaml file when the kernel version is lower than 6.6. This was stated in the upgrade-notes https://docs.cilium.io/en/stable/operations/upgrade/.
In our case, the kernel version was 6.1.. I needed to restart the nodes to have this setting propagated. Will do some more investigation on this.

Thanks for this. I've tried it, and I still get the error about Failed node neighbor link update between nodes. I will run some more tests in the morning to see if I can just ignore those messages, but I think I've still running into some issue.

You're right! I see the neighbor events from the cilium status --verbose as well, eventhough the targets from the NLB are healthy. After Restarting the Cilium agent Daemonset, all become targets Unhealthy again. This needs more investigation as this is not a suitable way of having the upgraded cilium instances.

[dylandreimerink]

The Failed node neighbor link update and

controller node-neighbor-link is failing since 4s (2x): unable to determine next hop IPv4 address for eth1 (<node_ip>): remote node IP is non-routable
unable to determine next hop IPv4 address for eth2 (<node_ip>): remote node IP is non-routable
unable to determine next hop IPv4 address for eth3 (<node_ip>): remote node IP is non-routable

Messages would indicate that there are no route which can be used to reach the remote node. Could you inspect the routing table of the nodes where this error occurs or provide a sysdump which should contain this info as well.

[ridwansswnto]

hi @ridwansswnto, I tested your solution, but it did not change the behavior, the targets are still Unhealthy. Can you elaborate a bit more on your current setup?

Our setup is: with the spec mentioned by @rmdvb Upgrade from cilium v1.15.7 to v1.16.0, and the preflights are healthy. Cilium 1.16.0, Bottlerocket v1.20.4 and kubernetes v1.28

# sanitized values.yaml file
cilium:
  bpf:
    masquerade: true
  kubeProxyReplacement: "true"
  ipam:
    operator:
      clusterPoolIPv4PodCIDRList: [<cidrlist>]
  cni:
    install: true
    chainingMode: none
  envoyConfig:
    enabled: false
  ingressController:
    enabled: true
    loadbalancerMode: "shared"
    service:
      name: cilium-ingress
      annotations:
        service.beta.kubernetes.io/aws-load-balancer-type: external
        service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
        service.beta.kubernetes.io/aws-load-balancer-scheme: internal
        service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
        service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: tcp
        service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: traffic-port
        service.beta.kubernetes.io/aws-load-balancer-healthcheck-healthy-threshold: "2"
        service.beta.kubernetes.io/aws-load-balancer-healthcheck-unhealthy-threshold: "2"
        service.beta.kubernetes.io/aws-load-balancer-healthcheck-timeout: "5"
        service.beta.kubernetes.io/aws-load-balancer-healthcheck-interval: "5"
        service.beta.kubernetes.io/aws-load-balancer-attributes: "load_balancing.cross_zone.enabled=false"
        service.beta.kubernetes.io/load-balancer-source-ranges: "<source-ranges>"
        service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: "deregistration_delay.timeout_seconds=60,deregistration_delay.connection_termination.enabled=true,preserve_client_ip.enabled=true"
        service.beta.kubernetes.io/aws-load-balancer-subnets: "<lb-subnets>"
      type: LoadBalancer
      insecureNodePort: 30080
      secureNodePort : 30443
  eni:
    enabled: false
    updateEC2AdapterLimitViaAPI: false
  policyEnforcementMode: "always"
  policyAuditMode: true
  envoy:
    enabled: false
  tunnelProtocol: "vxlan"

My bad, I keep experiencing the same issues.

This is my setup:
eks 1.29, bottlerocket 1.20.5-a3e8bda1, cilium 1.16.0.

values.yaml

agent: true
k8sServiceHost: ""
k8sServicePort: ""
debug:
  enabled: true
  verbose: "flow policy envoy datapath"
cluster:
  name: ""
upgradeCompatibility: "1.8"
ipam:
  mode: "eni"
kubeProxyReplacement: "true"
hubble:
  relay:
    enabled: true
  ui:
    enabled: true
eni:
  awsEnablePrefixDelegation: true
  awsReleaseExcessIPs: true
  ec2APIEndpoint: ""
  enabled: true
  eniTags: {}
  gcInterval: ""
  gcTags: {}
  iamRole: ""
  instanceTagsFilter: []
  subnetIDsFilter: [""]
  subnetTagsFilter: []
  updateEC2AdapterLimitViaAPI: true
ingressController:
  enabled: true
  loadbalancerMode: shared
  enforceHttps: true
  enableProxyProtocol: false
  ingressLBAnnotationPrefixes: ['lbipam.cilium.io', 'nodeipam.cilium.io', service.beta.kubernetes.io, 'service.kubernetes.io', 'cloud.google.com']
  secretsNamespace:
    create: true
    name: cilium-secrets
    sync: true
  hostNetwork:
    enabled: false
  service:
    type: LoadBalancer
    insecureNodePort: 32480
    secureNodePort: 32443
    name: cilium-ingress
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
      service.beta.kubernetes.io/aws-load-balancer-internal: "true"
      service.beta.kubernetes.io/aws-load-balancer-subnets: ""

After several attempts like rolling update instances etc, I found something:

This is the bpf lb status when NLB Healthcheck fails:

$ kubectl -n kube-system exec -ti ds/cilium -- cilium bpf lb list
10.12.12.88:32182 (0)     0.0.0.0:0 (102) (0) [NodePort]
10.12.13.70:32182 (0)     0.0.0.0:0 (103) (0) [NodePort]

This is the bpf lb status when NLB Heatcheck is successful:

$ kubectl -n kube-system exec -ti ds/cilium -- cilium bpf lb list
10.12.13.95:32480 (0)     0.0.0.0:0 (21) (0) [NodePort, l7-load-balancer] (L7LB Proxy Port: 10969)
10.12.13.95:32443 (0)     0.0.0.0:0 (23) (0) [NodePort, l7-load-balancer] (L7LB Proxy Port: 10969)

The interesting thing is that if I update something part of service like annotation in ingressController WITHOUT restarting cilium-operator & cilium-agent the bpf lb will show descriptions like l7-load-balancer and HC in NLB success, once I restart they are gone and the NLB is unhealthy.

This is the log for healthy NLB in cilium-agent:

time="2024-08-01T14:45:41Z" level=debug msg="Upserting service" backends="[]" l7LBProxyPort=10969 loadBalancerSourceRanges="[]" serviceIP="{10.12.13.95 {TCP 32480} 0}" serviceName=cilium-ingress serviceNamespace=kube-system sessionAffinity=false sessionAffinityTimeout=0 subsys=service svcExtTrafficPolicy=Cluster svcHealthCheckNodePort=0 svcIntTrafficPolicy=Cluster svcType=NodePort
time="2024-08-01T14:45:41Z" level=debug msg="Acquired service ID" backends="[]" l7LBProxyPort=10969 loadBalancerSourceRanges="[]" serviceID=21 serviceIP="{10.12.13.95 {TCP 32480} 0}" serviceName=cilium-ingress serviceNamespace=kube-system sessionAffinity=false sessionAffinityTimeout=0 subsys=service svcExtTrafficPolicy=Cluster svcHealthCheckNodePort=0 svcIntTrafficPolicy=Cluster svcType=NodePort

This is the log after cilium-operator & cilium-agent restart:

time="2024-08-01T15:04:42Z" level=debug msg="Upserting service" backends="[]" l7LBProxyPort=0 loadBalancerSourceRanges="[]" serviceIP="{10.12.13.95 {NONE 32480} 0}" serviceName=cilium-ingress serviceNamespace=kube-system sessionAffinity=false sessionAffinityTimeout=0 subsys=service svcExtTrafficPolicy=Cluster svcHealthCheckNodePort=0 svcIntTrafficPolicy=Cluster svcType=NodePort
time="2024-08-01T15:04:42Z" level=debug msg="Acquired service ID" backends="[]" l7LBProxyPort=0 loadBalancerSourceRanges="[]" serviceID=21 serviceIP="{10.12.13.95 {NONE 32480} 0}" serviceName=cilium-ingress serviceNamespace=kube-system sessionAffinity=false sessionAffinityTimeout=0 subsys=service svcExtTrafficPolicy=Cluster svcHealthCheckNodePort=0 svcIntTrafficPolicy=Cluster svcType=NodePort

[okamosy]

The Failed node neighbor link update and

controller node-neighbor-link is failing since 4s (2x): unable to determine next hop IPv4 address for eth1 (<node_ip>): remote node IP is non-routable
unable to determine next hop IPv4 address for eth2 (<node_ip>): remote node IP is non-routable
unable to determine next hop IPv4 address for eth3 (<node_ip>): remote node IP is non-routable

Messages would indicate that there are no route which can be used to reach the remote node. Could you inspect the routing table of the nodes where this error occurs or provide a sysdump which should contain this info as well.

I've attached the sys dump from a clean build of an EKS cluster and Cilium 1.16.0
cilum-sysdump-clean-1.16-install.zip

Additionally, I've disabled the Ingress Controller to try and make sure it wasn't getting in the way of something else.

[mattcharlton]

@ridwansswnto @dvb-simp @rmdvb are you folks still experiencing the same issues with this upgrade? We're still struggling.

Hi @mattcharlton, we're still seeing this issue and it's currently blocking us to upgrade to cilium v1.16.0...
It seems that the cilium ingress LB NodePorts aren't accepting any traffic after a restart of the cilium agent, but we can't find any logs or events that triggers this behaviour.