Ask Your Question

Revision history [back]

See my iptables config is :- 1/ iptables on Controller ------------------ [root@dfw02~ ]# cat /etc/sysconfig/iptables # Lines with --reject-with icmp-host-prohibited commented out by B.D. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m multiport --dports 3260 -m comment --comment "001 cinder incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 horizon incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment "001 keystone incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 3306 -m comment --comment "001 mariadb incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001 novncproxy incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 8770:8780 -m comment --comment "001 novaapi incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 5672 -m comment --comment "001 qpid incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001 metadata incoming" -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5999 -j ACCEPT # -A INPUT -j REJECT --reject-with icmp-host-prohibited -A INPUT -p gre -j ACCEPT -A OUTPUT -p gre -j ACCEPT # -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT ------------------

8700 is neutron  metadata port.
So run
netstat -lntp | grep 9697

To find out what you have on 9697.   It's a core issue

See my iptables config is :- 1/ iptables on Controller ------------------ [root@dfw02~ ]# cat /etc/sysconfig/iptables # Lines with --reject-with icmp-host-prohibited commented out by B.D. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m multiport --dports 3260 -m comment --comment "001 cinder incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 horizon incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment "001 keystone incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 3306 -m comment --comment "001 mariadb incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001 novncproxy incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 8770:8780 -m comment --comment "001 novaapi incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 5672 -m comment --comment "001 qpid incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001 metadata incoming" -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5999 -j ACCEPT # -A INPUT -j REJECT --reject-with icmp-host-prohibited -A INPUT -p gre -j ACCEPT -A OUTPUT -p gre -j ACCEPT # -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT ------------------

 8700 is neutron  metadata port.
 So run
 netstat -lntp | grep 9697

 To find out what you have on 9697.   It's a core issue

See my iptables config is :- 1/ iptables on Controller ------------------ [root@dfw02~ ]# cat /etc/sysconfig/iptables # Lines with --reject-with icmp-host-prohibited commented out by B.D. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m multiport --dports 3260 -m comment --comment "001 cinder incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 horizon incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment "001 keystone incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 3306 -m comment --comment "001 mariadb incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001 novncproxy incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 8770:8780 -m comment --comment "001 novaapi incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 5672 -m comment --comment "001 qpid incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001 metadata incoming" -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5999 -j ACCEPT # -A INPUT -j REJECT --reject-with icmp-host-prohibited -A INPUT -p gre -j ACCEPT -A OUTPUT -p gre -j ACCEPT # -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT ------------------

     8700 is neutron  metadata port.
     So run
     netstat -lntp | grep 9697

    To find out what you have on 9697.   It's a core issue

See my iptables config is :- 1/ iptables on Controller ------------------ [root@dfw02~ ]# cat /etc/sysconfig/iptables # Lines with --reject-with icmp-host-prohibited commented out by B.D. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m multiport --dports 3260 -m comment --comment "001 cinder incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 horizon incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment "001 keystone incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 3306 -m comment --comment "001 mariadb incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001 novncproxy incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 8770:8780 -m comment --comment "001 novaapi incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 5672 -m comment --comment "001 qpid incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001 metadata incoming" -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5999 -j ACCEPT # -A INPUT -j REJECT --reject-with icmp-host-prohibited -A INPUT -p gre -j ACCEPT -A OUTPUT -p gre -j ACCEPT # -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT ------------------

        8700 is neutron  metadata port.
        So run
        netstat -lntp | grep 9697

    To find out what you have on 9697.   It's a core issue

See my iptables config is :- 1/ iptables I have in /etc/sysconfig/iptables on Controller ------------------ [root@dfw02~ ]# cat /etc/sysconfig/iptables # Lines with --reject-with icmp-host-prohibited commented out by B.D. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m multiport --dports 3260 -m comment --comment "001 cinder incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 horizon incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment "001 keystone incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 3306 -m comment --comment "001 mariadb incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001 novncproxy incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 8770:8780 -m comment --comment "001 novaapi incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 5672 -m comment --comment "001 qpid incoming" -j ACCEPT Controller:- -A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001 metadata incoming" -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5999 -j ACCEPT # -A INPUT -j REJECT --reject-with icmp-host-prohibited -A INPUT -p gre -j ACCEPT -A OUTPUT -p gre -j ACCEPT # -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT ------------------incoming"

 So   8700 is neutron  metadata port.
         So run
         netstat -lntp | grep 9697
             and
            iptables-save > out
        To find out what you have on 9697.   It's a core issue

I have in /etc/sysconfig/iptables on Controller:- -A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001 metadata incoming"incoming" in other words

[root@dfw02 ~(keystone_admin)]$ iptables-save | grep 8700
-A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001 metadata incoming" -j ACCEPT


So   8700 is neutron  metadata port.
            So run
            netstat -lntp | grep 9697
            and
            iptables-save > out
        To find out what you have on 9697.   It's a core issue

I have in /etc/sysconfig/iptables on Controller:- -A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001 metadata incoming" in other words

 [root@dfw02 ~(keystone_admin)]$ iptables-save | grep 8700
 -A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001 metadata incoming" -j ACCEPT

  So   8700 is neutron  metadata meta data port.
            So run
 Run


 #        netstat -lntp iptables-save | grep 9697
            and
            iptables-save > out
        To find out what you have on 9697.   It's a core issue

I have in /etc/sysconfig/iptables on Controller:- -A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001 metadata incoming" in other words

  [root@dfw02 ~(keystone_admin)]$ iptables-save | grep 8700
     -A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001 metadata incoming" -j ACCEPT

    So   8700 is neutron  meta data metadata port.
      Run

   #   iptables-save | grep 9697
                 To find out what you have on 9697.   It's a core issue

I have in /etc/sysconfig/iptables on Controller:- -A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001 metadata incoming" in other words

         [root@dfw02 ~(keystone_admin)]$ iptables-save | grep 8700
         -A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001 metadata incoming" -j ACCEPT

     So   8700 is neutron  metadata port.
      Run
          #  netstat -lntp | grep 9697      
         #   iptables-save | grep 9697
                     To find out what you have on 9697.   It's a core issue

I have in /etc/sysconfig/iptables on Controller:- -A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001 metadata incoming" in other words

            [root@dfw02 ~(keystone_admin)]$ iptables-save | grep 8700
            -A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001 metadata incoming" -j ACCEPT

        So   8700 is neutron  metadata port.
         Run
         #  netstat -lntp | grep 9697      
         #   iptables-save | grep 9697
                        To find out what you have on 9697.   It's a core issue

Entries of port 8700 on my Controller :-
[root@dfw02 nova(keystone_boris)]$ cat nova.conf | grep 8700
metadata_listen_port = 8700

[root@dfw02 nova(keystone_boris)]$ cd ../neutron

[root@dfw02 neutron(keystone_boris)]$ ls -l
total 72
-rw-r-----. 1 root neutron   884 Jan 23 12:48 api-paste.ini
-rw-r-----. 1 root neutron  2998 Mar 16 13:02 dhcp_agent.ini
-rw-r--r--. 1 root neutron    73 Mar 16 13:26 dnsmasq.conf
-rw-r--r--. 1 root neutron    79 Feb 26 12:51 dnsmasq-neutron.conf
-rw-r-----. 1 root neutron   109 Dec 16 05:36 fwaas_driver.ini
-rw-r-----. 1 root neutron  2520 Feb 18 22:57 l3_agent.ini
-rw-r-----. 1 root neutron  1104 Dec 16 05:36 lbaas_agent.ini
-rw-r-----. 1 root neutron  1084 Jan 23 18:25 metadata_agent.ini
-rw-r--r--. 1 root neutron   876 Jan 23 12:58 neutron.conf
-rw-r-----. 1 root neutron 13635 Jan 23 11:55 neutron.save
lrwxrwxrwx. 1 root root       55 Jan 23 11:49 plugin.ini -> /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
drwxr-xr-x. 3 root root     4096 Jan 23 11:01 plugins
-rw-r-----. 1 root neutron  5853 Dec 16 05:36 policy.json
-rw-r--r--. 1 root root       79 Dec 18 17:30 release
-rw-r--r--. 1 root root     1214 Dec 16 05:36 rootwrap.conf

[root@dfw02 neutron(keystone_boris)]$ cat l3_agent.ini | grep 8700
metadata_port = 8700

[root@dfw02 neutron(keystone_boris)]$ cat metadata_agent.ini | grep 8700
nova_metadata_port = 8700

I have in /etc/sysconfig/iptables on Controller:- -A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001 metadata incoming" in other words

            [root@dfw02 ~(keystone_admin)]$ iptables-save | grep 8700
            -A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001 metadata incoming" -j ACCEPT

        So   8700 is neutron  metadata port.
         Run
         #  netstat -lntp | grep 9697      
         #   iptables-save | grep 9697
                        To find out what you have on 9697.   It's a core issue

Entries of port 8700 on my Controller :-
[root@dfw02 nova(keystone_boris)]$ cat nova.conf | grep 8700
metadata_listen_port = 8700

[root@dfw02 nova(keystone_boris)]$ cd ../neutron

[root@dfw02 neutron(keystone_boris)]$ ls -l
total 72
-rw-r-----. 1 root neutron   884 Jan 23 12:48 api-paste.ini
-rw-r-----. 1 root neutron  2998 Mar 16 13:02 dhcp_agent.ini
-rw-r--r--. 1 root neutron    73 Mar 16 13:26 dnsmasq.conf
-rw-r--r--. 1 root neutron    79 Feb 26 12:51 dnsmasq-neutron.conf
-rw-r-----. 1 root neutron   109 Dec 16 05:36 fwaas_driver.ini
-rw-r-----. 1 root neutron  2520 Feb 18 22:57 l3_agent.ini
-rw-r-----. 1 root neutron  1104 Dec 16 05:36 lbaas_agent.ini
-rw-r-----. 1 root neutron  1084 Jan 23 18:25 metadata_agent.ini
-rw-r--r--. 1 root neutron   876 Jan 23 12:58 neutron.conf
-rw-r-----. 1 root neutron 13635 Jan 23 11:55 neutron.save
lrwxrwxrwx. 1 root root       55 Jan 23 11:49 plugin.ini -> /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
drwxr-xr-x. 3 root root     4096 Jan 23 11:01 plugins
-rw-r-----. 1 root neutron  5853 Dec 16 05:36 policy.json
-rw-r--r--. 1 root root       79 Dec 18 17:30 release
-rw-r--r--. 1 root root     1214 Dec 16 05:36 rootwrap.conf

[root@dfw02 neutron(keystone_boris)]$ cat l3_agent.ini | grep 8700
metadata_port = 8700

[root@dfw02 neutron(keystone_boris)]$ cat metadata_agent.ini | grep 8700
nova_metadata_port = 8700

[root@dfw02 ~(keystone_admin)]$ netstat -lntp | grep 8700
tcp        0      0 0.0.0.0:8700            0.0.0.0:*               LISTEN      2749/python         
[root@dfw02 ~(keystone_admin)]$ ps -ef | grep 2749
nova      2749     1  0 09:34 ?        00:00:05 /usr/bin/python /usr/bin/nova-api --logfile /var/log/nova/api.log
nova      2852  2749  0 09:34 ?        00:00:00 /usr/bin/python /usr/bin/nova-api --logfile /var/log/nova/api.log
nova      2893  2749  0 09:34 ?        00:00:03 /usr/bin/python /usr/bin/nova-api --logfile /var/log/nova/api.log
nova      2894  2749  0 09:34 ?        00:00:00 /usr/bin/python /usr/bin/nova-api --logfile /var/log/nova/api.log
root      8080  4116  0 09:46 pts/0    00:00:00 grep --color=auto 2749

 I have in /etc/sysconfig/iptables on Controller:-
                 -A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001 metadata incoming"
             in other words 

             [root@dfw02 ~(keystone_admin)]$ iptables-save | grep 8700
             -A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001 metadata incoming" -j ACCEPT

         So   8700 is neutron  metadata port.
          Run
          #  netstat -lntp | grep 9697      
          #   iptables-save | grep 9697
                         To find out what you have on 9697.   It's a core issue

    Also make sure /etc/systcl.conf
                  net.ipv4.ip_forward = 1
                  net.ipv4.conf.all.rp_filter=0
                  net.ipv4.conf.default.rp_filter=0

 You may have 9697 as metadata port on old system.

        Entries of port 8700 on my Controller :-
 [root@dfw02 nova(keystone_boris)]$ cat nova.conf | grep 8700
 metadata_listen_port = 8700

 [root@dfw02 nova(keystone_boris)]$ cd ../neutron

 [root@dfw02 neutron(keystone_boris)]$ ls -l
 total 72
 -rw-r-----. 1 root neutron   884 Jan 23 12:48 api-paste.ini
 -rw-r-----. 1 root neutron  2998 Mar 16 13:02 dhcp_agent.ini
 -rw-r--r--. 1 root neutron    73 Mar 16 13:26 dnsmasq.conf
 -rw-r--r--. 1 root neutron    79 Feb 26 12:51 dnsmasq-neutron.conf
 -rw-r-----. 1 root neutron   109 Dec 16 05:36 fwaas_driver.ini
 -rw-r-----. 1 root neutron  2520 Feb 18 22:57 l3_agent.ini
 -rw-r-----. 1 root neutron  1104 Dec 16 05:36 lbaas_agent.ini
 -rw-r-----. 1 root neutron  1084 Jan 23 18:25 metadata_agent.ini
 -rw-r--r--. 1 root neutron   876 Jan 23 12:58 neutron.conf
 -rw-r-----. 1 root neutron 13635 Jan 23 11:55 neutron.save
 lrwxrwxrwx. 1 root root       55 Jan 23 11:49 plugin.ini -> /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
 drwxr-xr-x. 3 root root     4096 Jan 23 11:01 plugins
 -rw-r-----. 1 root neutron  5853 Dec 16 05:36 policy.json
 -rw-r--r--. 1 root root       79 Dec 18 17:30 release
 -rw-r--r--. 1 root root     1214 Dec 16 05:36 rootwrap.conf

 [root@dfw02 neutron(keystone_boris)]$ cat l3_agent.ini | grep 8700
 metadata_port = 8700

 [root@dfw02 neutron(keystone_boris)]$ cat metadata_agent.ini | grep 8700
 nova_metadata_port = 8700

 [root@dfw02 ~(keystone_admin)]$ netstat -lntp | grep 8700
 tcp        0      0 0.0.0.0:8700            0.0.0.0:*               LISTEN      2749/python         
 [root@dfw02 ~(keystone_admin)]$ ps -ef | grep 2749
 nova      2749     1  0 09:34 ?        00:00:05 /usr/bin/python /usr/bin/nova-api --logfile /var/log/nova/api.log
 nova      2852  2749  0 09:34 ?        00:00:00 /usr/bin/python /usr/bin/nova-api --logfile /var/log/nova/api.log
 nova      2893  2749  0 09:34 ?        00:00:03 /usr/bin/python /usr/bin/nova-api --logfile /var/log/nova/api.log
 nova      2894  2749  0 09:34 ?        00:00:00 /usr/bin/python /usr/bin/nova-api --logfile /var/log/nova/api.log
 root      8080  4116  0 09:46 pts/0    00:00:00 grep --color=auto 2749
 

I have in /etc/sysconfig/iptables on Controller:- -A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001 metadata incoming" in other words

                [root@dfw02 ~(keystone_admin)]$ iptables-save | grep 8700
                 -A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001 metadata incoming" -j ACCEPT

             So   8700 is neutron  metadata port.
              Run
              #  netstat -lntp | grep 9697      
              #   iptables-save | grep 9697
                             To find out what you have on 9697.   It's a core issue

 Also make sure /etc/systcl.conf
               net.ipv4.ip_forward = 1
               net.ipv4.conf.all.rp_filter=0
               net.ipv4.conf.default.rp_filter=0
 

You may have 9697 as metadata port on old system. system. I would expect entries for 9697 be like shown bellow for 8700 on F20.

    Entries of port 8700 on my Controller :-
     [root@dfw02 nova(keystone_boris)]$ cat nova.conf | grep 8700
     metadata_listen_port = 8700

     [root@dfw02 nova(keystone_boris)]$ cd ../neutron

     [root@dfw02 neutron(keystone_boris)]$ ls -l
     total 72
     -rw-r-----. 1 root neutron   884 Jan 23 12:48 api-paste.ini
     -rw-r-----. 1 root neutron  2998 Mar 16 13:02 dhcp_agent.ini
     -rw-r--r--. 1 root neutron    73 Mar 16 13:26 dnsmasq.conf
     -rw-r--r--. 1 root neutron    79 Feb 26 12:51 dnsmasq-neutron.conf
     -rw-r-----. 1 root neutron   109 Dec 16 05:36 fwaas_driver.ini
     -rw-r-----. 1 root neutron  2520 Feb 18 22:57 l3_agent.ini
     -rw-r-----. 1 root neutron  1104 Dec 16 05:36 lbaas_agent.ini
     -rw-r-----. 1 root neutron  1084 Jan 23 18:25 metadata_agent.ini
     -rw-r--r--. 1 root neutron   876 Jan 23 12:58 neutron.conf
     -rw-r-----. 1 root neutron 13635 Jan 23 11:55 neutron.save
     lrwxrwxrwx. 1 root root       55 Jan 23 11:49 plugin.ini -> /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
     drwxr-xr-x. 3 root root     4096 Jan 23 11:01 plugins
     -rw-r-----. 1 root neutron  5853 Dec 16 05:36 policy.json
     -rw-r--r--. 1 root root       79 Dec 18 17:30 release
     -rw-r--r--. 1 root root     1214 Dec 16 05:36 rootwrap.conf

     [root@dfw02 neutron(keystone_boris)]$ cat l3_agent.ini | grep 8700
     metadata_port = 8700

     [root@dfw02 neutron(keystone_boris)]$ cat metadata_agent.ini | grep 8700
     nova_metadata_port = 8700

     [root@dfw02 ~(keystone_admin)]$ netstat -lntp | grep 8700
     tcp        0      0 0.0.0.0:8700            0.0.0.0:*               LISTEN      2749/python         
     [root@dfw02 ~(keystone_admin)]$ ps -ef | grep 2749
     nova      2749     1  0 09:34 ?        00:00:05 /usr/bin/python /usr/bin/nova-api --logfile /var/log/nova/api.log
     nova      2852  2749  0 09:34 ?        00:00:00 /usr/bin/python /usr/bin/nova-api --logfile /var/log/nova/api.log
     nova      2893  2749  0 09:34 ?        00:00:03 /usr/bin/python /usr/bin/nova-api --logfile /var/log/nova/api.log
     nova      2894  2749  0 09:34 ?        00:00:00 /usr/bin/python /usr/bin/nova-api --logfile /var/log/nova/api.log
     root      8080  4116  0 09:46 pts/0    00:00:00 grep --color=auto 2749

I have in /etc/sysconfig/iptables on Controller:- -A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001 metadata incoming" in other words

                [root@dfw02 ~(keystone_admin)]$ iptables-save | grep 8700
                -A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001 metadata incoming" -j ACCEPT

            So   8700 is neutron  metadata port.
             Run
             #  netstat -lntp | grep 9697      
             #   iptables-save | grep 9697
                            To find out what you have on 9697.   It's a core issue

Also make sure /etc/systcl.conf
/etc/systcl.conf on Controller :-

              net.ipv4.ip_forward = 1
              net.ipv4.conf.all.rp_filter=0
              net.ipv4.conf.default.rp_filter=0

  and /etc/sysctl.conf on compute nodes :-

   net.ipv4.ip_forward=1 
   net.bridge.bridge-nf-call-ip6tables=1
   net.bridge.bridge-nf-call-iptables=1
   net.bridge.bridge-nf-call-arptables=1

You may have 9697 as metadata port on old system. I would expect entries for 9697 be like shown bellow for 8700 on F20.

    Entries of port 8700 on my Controller :-
    [root@dfw02 nova(keystone_boris)]$ cat nova.conf | grep 8700
    metadata_listen_port = 8700

    [root@dfw02 nova(keystone_boris)]$ cd ../neutron

    [root@dfw02 neutron(keystone_boris)]$ ls -l
    total 72
    -rw-r-----. 1 root neutron   884 Jan 23 12:48 api-paste.ini
    -rw-r-----. 1 root neutron  2998 Mar 16 13:02 dhcp_agent.ini
    -rw-r--r--. 1 root neutron    73 Mar 16 13:26 dnsmasq.conf
    -rw-r--r--. 1 root neutron    79 Feb 26 12:51 dnsmasq-neutron.conf
    -rw-r-----. 1 root neutron   109 Dec 16 05:36 fwaas_driver.ini
    -rw-r-----. 1 root neutron  2520 Feb 18 22:57 l3_agent.ini
    -rw-r-----. 1 root neutron  1104 Dec 16 05:36 lbaas_agent.ini
    -rw-r-----. 1 root neutron  1084 Jan 23 18:25 metadata_agent.ini
    -rw-r--r--. 1 root neutron   876 Jan 23 12:58 neutron.conf
    -rw-r-----. 1 root neutron 13635 Jan 23 11:55 neutron.save
    lrwxrwxrwx. 1 root root       55 Jan 23 11:49 plugin.ini -> /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
    drwxr-xr-x. 3 root root     4096 Jan 23 11:01 plugins
    -rw-r-----. 1 root neutron  5853 Dec 16 05:36 policy.json
    -rw-r--r--. 1 root root       79 Dec 18 17:30 release
    -rw-r--r--. 1 root root     1214 Dec 16 05:36 rootwrap.conf

    [root@dfw02 neutron(keystone_boris)]$ cat l3_agent.ini | grep 8700
    metadata_port = 8700

    [root@dfw02 neutron(keystone_boris)]$ cat metadata_agent.ini | grep 8700
    nova_metadata_port = 8700

    [root@dfw02 ~(keystone_admin)]$ netstat -lntp | grep 8700
    tcp        0      0 0.0.0.0:8700            0.0.0.0:*               LISTEN      2749/python         
    [root@dfw02 ~(keystone_admin)]$ ps -ef | grep 2749
    nova      2749     1  0 09:34 ?        00:00:05 /usr/bin/python /usr/bin/nova-api --logfile /var/log/nova/api.log
    nova      2852  2749  0 09:34 ?        00:00:00 /usr/bin/python /usr/bin/nova-api --logfile /var/log/nova/api.log
    nova      2893  2749  0 09:34 ?        00:00:03 /usr/bin/python /usr/bin/nova-api --logfile /var/log/nova/api.log
    nova      2894  2749  0 09:34 ?        00:00:00 /usr/bin/python /usr/bin/nova-api --logfile /var/log/nova/api.log
    root      8080  4116  0 09:46 pts/0    00:00:00 grep --color=auto 2749

 I have in /etc/sysconfig/iptables on Controller:-
                    -A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001 metadata incoming"
                in other words 

                 [root@dfw02 ~(keystone_admin)]$ iptables-save | grep 8700
                 -A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001 metadata incoming" -j ACCEPT

             So   8700 is neutron  metadata port.
              Run
              #  netstat -lntp | grep 9697      
              #   iptables-save | grep 9697
                             To find out what you have on 9697.   It's a core issue

 Also make sure /etc/systcl.conf on Controller :-

               net.ipv4.ip_forward = 1
               net.ipv4.conf.all.rp_filter=0
               net.ipv4.conf.default.rp_filter=0

   and /etc/sysctl.conf on compute nodes :-

    net.ipv4.ip_forward=1 
    net.bridge.bridge-nf-call-ip6tables=1
    net.bridge.bridge-nf-call-iptables=1
    net.bridge.bridge-nf-call-arptables=1

You may have 9697 as metadata port on old system. I would expect entries for 9697 be like shown bellow for 8700 on F20.

F20.

        Entries of port 8700 on my Controller :-
     [root@dfw02 nova(keystone_boris)]$ cat nova.conf | grep 8700
     metadata_listen_port = 8700

     [root@dfw02 nova(keystone_boris)]$ cd ../neutron

     [root@dfw02 neutron(keystone_boris)]$ ls -l
     total 72
     -rw-r-----. 1 root neutron   884 Jan 23 12:48 api-paste.ini
     -rw-r-----. 1 root neutron  2998 Mar 16 13:02 dhcp_agent.ini
     -rw-r--r--. 1 root neutron    73 Mar 16 13:26 dnsmasq.conf
     -rw-r--r--. 1 root neutron    79 Feb 26 12:51 dnsmasq-neutron.conf
     -rw-r-----. 1 root neutron   109 Dec 16 05:36 fwaas_driver.ini
     -rw-r-----. 1 root neutron  2520 Feb 18 22:57 l3_agent.ini
     -rw-r-----. 1 root neutron  1104 Dec 16 05:36 lbaas_agent.ini
     -rw-r-----. 1 root neutron  1084 Jan 23 18:25 metadata_agent.ini
     -rw-r--r--. 1 root neutron   876 Jan 23 12:58 neutron.conf
     -rw-r-----. 1 root neutron 13635 Jan 23 11:55 neutron.save
     lrwxrwxrwx. 1 root root       55 Jan 23 11:49 plugin.ini -> /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
     drwxr-xr-x. 3 root root     4096 Jan 23 11:01 plugins
     -rw-r-----. 1 root neutron  5853 Dec 16 05:36 policy.json
     -rw-r--r--. 1 root root       79 Dec 18 17:30 release
     -rw-r--r--. 1 root root     1214 Dec 16 05:36 rootwrap.conf

     [root@dfw02 neutron(keystone_boris)]$ cat l3_agent.ini | grep 8700
     metadata_port = 8700

     [root@dfw02 neutron(keystone_boris)]$ cat metadata_agent.ini | grep 8700
     nova_metadata_port = 8700

     [root@dfw02 ~(keystone_admin)]$ netstat -lntp | grep 8700
     tcp        0      0 0.0.0.0:8700            0.0.0.0:*               LISTEN      2749/python         
     [root@dfw02 ~(keystone_admin)]$ ps -ef | grep 2749
     nova      2749     1  0 09:34 ?        00:00:05 /usr/bin/python /usr/bin/nova-api --logfile /var/log/nova/api.log
     nova      2852  2749  0 09:34 ?        00:00:00 /usr/bin/python /usr/bin/nova-api --logfile /var/log/nova/api.log
     nova      2893  2749  0 09:34 ?        00:00:03 /usr/bin/python /usr/bin/nova-api --logfile /var/log/nova/api.log
     nova      2894  2749  0 09:34 ?        00:00:00 /usr/bin/python /usr/bin/nova-api --logfile /var/log/nova/api.log
     root      8080  4116  0 09:46 pts/0    00:00:00 grep --color=auto 2749

I have also verified :-

[root@dfw02 ~]# ip netns list
qrouter-86b3008c-297f-4301-9bdc-766b839785f1
qrouter-bf360d81-79fb-4636-8241-0a843f228fc8
qdhcp-426bb226-0ab9-440d-ba14-05634a17fb2b
qdhcp-1eea88bb-4952-4aa4-9148-18b61c22d5b7

[root@dfw02 ~]# ip netns exec qrouter-bf360d81-79fb-4636-8241-0a843f228fc8  netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:8700            0.0.0.0:*               LISTEN     
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path

[root@dfw02 ~]# ip netns exec qrouter-86b3008c-297f-4301-9bdc-766b839785f1  netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:8700            0.0.0.0:*               LISTEN     
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path

[root@dfw02 ~]# ip netns exec qdhcp-426bb226-0ab9-440d-ba14-05634a17fb2b netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 40.0.0.3:53             0.0.0.0:*               LISTEN     
tcp6       0      0 fe80::f816:3eff:fe01:53 :::*                    LISTEN     
udp        0      0 40.0.0.3:53             0.0.0.0:*                          
udp        0      0 0.0.0.0:67              0.0.0.0:*                          
udp6       0      0 fe80::f816:3eff:fe01:53 :::*                               
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path

[root@dfw02 ~]# ip netns exec qdhcp-1eea88bb-4952-4aa4-9148-18b61c22d5b7  netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 10.0.0.3:53             0.0.0.0:*               LISTEN     
tcp6       0      0 fe80::f816:3eff:fe93:53 :::*                    LISTEN     
udp        0      0 10.0.0.3:53             0.0.0.0:*                          
udp        0      0 0.0.0.0:67              0.0.0.0:*                          
udp6       0      0 fe80::f816:3eff:fe93:53 :::*                               
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path