VPP dataplane drops locally destined packets when WAN VLAN interface is placed in Linux VRF (ipv4-local source lookup miss)

bruno.dzogovic · March 12, 2026, 8:22pm

Environment

VyOS version:

Version:          VyOS 2026.02
Release train:    circinus
Release flavor:   generic

Dataplane:

VPP enabled

Hardware:

x86 server with Intel 100G NIC (E810-C class)

Topology:

Internet
   |
Palo Alto FW (public_ip_1)
   |
VLAN 52
   |
VyOS eth4.52 (VPP dataplane)

Network Layout

Public network:

public_ip_range/24
Gateway: public_ip_1
VyOS:    public_ip_2
VLAN:    52

VRFs used:

vrf-mgmt   table 100
vrf-vpn    table 102
vrf-public table 110

WAN interface:

eth4.52 -> vrf-public

Problem Description

When the WAN interface eth4.52 is placed into a Linux VRF (vrf-public), internet connectivity stops working.

Symptoms:

Gateway (public_ip_1) reachable
ARP working
packets transmitted towards internet
replies never received

However:

ping public_ip_1 vrf vrf-public

works correctly.

But:

ping 1.1.1.1 vrf vrf-public

fails.

Important observation

tcpdump shows packets leaving the interface:

tcpdump -ni eth4.52 icmp and host 1.1.1.1
IP public_ip_2 > 1.1.1.1: ICMP echo request

But no replies are received.

VPP Error Counters

vppctl show errors

Shows increasing:

ipv4-local ip4 source lookup miss

Example:

Count   Node        Reason
1742    ipv4-local  ip4 source lookup miss

VPP Interface Setup

vppctl show lcp

lcp-auto-subint on

if-pair:
eth4       <-> tap4096
eth4.52    <-> tap4096.52

VPP Interface State

vppctl show interface eth4.52

Interface is up and counters increase normally.

VPP FIB Entry

vppctl show ip fib

Shows correct route:

0.0.0.0/0 via public_ip_1 eth4.52

Linux Routing Tables

ip route show table 110

default via public_ip_1 dev eth4.52
public_ip_range/24 dev eth4.52

Important Behavior Difference

If the WAN interface remains in the default VRF, everything works correctly:

eth4.52 -> default VRF

Internet connectivity works normally.

The problem appears only after moving the interface into vrf-public.

Hypothesis

The issue may be related to:

VPP LCP auto-subinterface handling
VRF/FIB mapping between Linux and VPP
local-delivery lookup inside the VPP ipv4-local node

Specifically the repeated error:

ipv4-local ip4 source lookup miss

suggests a failure resolving the source VRF context during local packet delivery.

Reproduction Steps

Enable VPP dataplane
Configure VLAN WAN interface
Assign interface to Linux VRF
Add default route inside that VRF

Example:

set interfaces ethernet eth4 vif 52 address public_ip_2/24
set vrf name vrf-public table 110
set interfaces ethernet eth4 vif 52 vrf vrf-public
set protocols static table 110 route 0.0.0.0/0 next-hop public_ip_1

Result:

ping public_ip_1 vrf vrf-public  -> works
ping 1.1.1.1 vrf vrf-public       -> fails

Expected Behavior

Traffic from a VRF should correctly egress the VPP dataplane and return traffic should be delivered to the local VRF interface.

Actual Behavior

Packets leave the interface but replies are dropped with:

ipv4-local ip4 source lookup miss

Additional Notes

Rebooting the router and restarting VPP does not change behavior.

Question

Is this a known limitation of:

VPP + LCP auto-subinterfaces + Linux VRF

or is this a bug?

system · May 11, 2026, 8:22pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.