IBM Cloud Docs
Troubleshooting your VFP interface

Troubleshooting your VFP interface

There is troubleshooting information for virtual forwarding plane (VFP) interfaces that you might find useful.

  • A VFP interface is not a "real" interface, in the way that dp0bond0 is (or even a VIF or TUN). It is a placeholder interface created by the firewall and NAT processes so they can properly process traffic. You can still route traffic over a VFP like a regular interface, but tshark and other monitor commands reveal no traffic.
  • With NAT, you must use a more specific subnet range to get traffic routed to the VFP, rather than the kernel route that is created by IPsec. If a static route is not set, then the kernel route is followed. You can test this using show ip route x.x.x.x.
  • DNAT should be processed properly coming out of the VFP, but returning traffic still needs a static route set. Look for non-NAT traffic heading out of the IPsec interface, dp0bond1 or dp0bond0 (or any interface using IPsec traffic).
  • Using routing protocols and using a GRE tunnel over a VFP is untested.