Project

General

Profile

Actions
Copy link

Bug #5773

open

OsmoGGSN sends Direct Tunnel packets to the wrong IP address

Added by manatails over 1 year ago. Updated about 6 hours ago.

Status:
Feedback
Priority:
Normal
Assignee:
manatails
Category:
-
Target version:
-
Start date:
11/16/2022
Due date:
% Done:

90%

Spec Reference:

Description

When GTP-U Direct Tunnel is used, GGSN shall send all data packets to the RNC.

But sometimes when data packets are queued right after the Echo Request message from the SGSN, data packets are sent to the SGSN instead of RNC, causing SGSN to crash.

Attached is a pcap of the bug.

Packet no. 1-6 are correctly sent to the RNC at 10.27.30.100
But after packet no. 18 Echo response subsequent GTP-U packets are wrongly sent to the SGSN at 10.27.30.99 and SGSN reports Error indication.

Files

ggsn.pcap ggsn.pcap 5.22 KB manatails, 11/16/2022 01:36 PM

Related issues

Related to OsmoGGSN (former OpenGGSN) - Bug #6512: osmo-ggsn: Missing support for Direct Tunnel Flags logicNewpespin07/25/2024

Actions
Actions
Copy link
 #1

Updated by manatails over 1 year ago

I found that st_pmm_idle_on_enter() from osmo-sgsn is resetting the GTP-U address.
Is it necessary when the RNC is in Direct Tunnel mode? I am not sure what the correct behavior is. Disabling st_pmm_idle_on_enter seems to fix the problem for me.

Actions
Copy link
 #2

Updated by pespin 1 day ago

  • Related to Bug #6512: osmo-ggsn: Missing support for Direct Tunnel Flags logic added
Actions
Copy link
 #3

Updated by pespin 1 day ago

Hi manatails , I didn't see this ticket before. I'm currently improving a bit the Direct Tunnel support in osmo-sgsn and osmo-ggsn since it's not conformant to specs (TS 29.060, missing "Direct Tunnel Flags").

I just submitted a bunch of patches to SGSN_Tests which allows us testing a lot more stuff for 3G (Iu). We can probably try to reproduce your bug there.

Actions
Copy link
 #4

Updated by pespin 1 day ago

  • Assignee set to pespin

manatails what I'm seeing in the pcap is osmo-sgsn updating osmo-ggsn because probably the 3G UE went to PMM IDLE state (released Iu context), hence SGSN drops the Direct Tunnel and tells the GGSN to point the GTPU to the SGSN itself.

This way the SGSN can know when there's new incoming MT data and can page the UE so that it gets a new Iu ctx.

So the UpdatePDPCtx you see in frame_nr=10-11 are telling the GGSN to send data to the SGSN. And the GGSN does so in frame_nr=19-20.
The problem is that we probably don't have a proper path to forward data in the SGSN yet for non-DirectTunnel, we need to improve that, hence why it probably answers with Error Indication.

Some logging during that scenario plus a backtrace would be welcome. Otherwise we can also write a TTCN-3 test to reproduce the issue.

Actions
Copy link
 #5

Updated by pespin about 6 hours ago

  • Status changed from New to Feedback
  • Assignee changed from pespin to manatails
  • % Done changed from 0 to 90

I submitted several fixes to gerrit, and I think this ticket should be fixed by:
https://gerrit.osmocom.org/c/osmo-sgsn/+/37644

I wasn't unable to trigger a crash though.

See test TC_pmm_idle_rx_mt_data, submitted to gerrit here: https://gerrit.osmocom.org/c/osmo-ttcn3-hacks/+/37646

Note that the current status of osmo-sgsn still is unable to forward MT traffic being sent to it while the UE is paged + direct tunnel is re-established.

Actions
Copy link

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)