Ask Your Question
0

Tenant gre network broken

asked 2018-02-01 00:48:09 -0600

tony.pearce gravatar image

I have a network isolation openstack tripleo deployed. I have a bridge called "br-tun" which I have set up for the 'Tenant' network.

I have one main problem and it's that I cannot ping the instance VMs using the floating IP. I think I have traced this back to the tenant GRE network not working. I think I have further traced it back to something amiss with the bridge but follow me here and you'll see why.

For the instances I have this network layout: Real network switch ---- openstack router---local (GRE network)

I can ping the openstack router which is using 192.168.20.108/24 I have assigned a floating IP to the instance which is 192.168.20.102

When I try and ping the floating IP of the instance, I get a response from the floating IP saying destination host unreachable. Which is saying that the openstack router can't communicate with the instance. As the instance is running on the compute host and the floating ip and external network is connected to the controller node, the gre tunnel allows the connectivity to the instance.

What I found is that I Cannot ping the br-tun interface of the nodes from the other node. IE controller cannot ping compute and compute cannot ping controller. I don't know if this is normal, but doesn't seem normal as I can ping all of the other interfaces with IPs. In addition, each node cannot ping the network switch on the tenant network. I have the switch set up as a layer 3 gateway, although the nodes do not have a gateway on this network. I was using the switch IP to test connectivity. Also, running 'arp -an' shows that all IPs on the br-tun interface are <unknown> which means broadcasts are not traversing.

I find that If I do 'ifdown ifcfg-br-tun' and then ifdown ifcf-eth5' and then followed by 'ifup ifcfg-br-tun' and 'ifup ifcfg-eth5' that I can then ping the network switch and ARP is now populating in the table, but "ovs-vsctl show" shows that there is no gre tunnel.

So I decided to reboot the nodes, thinking that there was no issue and all will be fixed with a mass service restart. But once the nodes were up again i found I Was back to square 1, with no working tenant network.

Before I down and up the interfaces::

Controller ping

[root@overcloud-controller-0 heat-admin]# ping 192.168.12.1
PING 192.168.12.1 (192.168.12.1) 56(84) bytes of data.
^C
--- 192.168.12.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms

And the arp:

[root@overcloud-controller-0 heat-admin]# arp -an | grep 192.168.12
? (192.168.12.107) at <incomplete> on br-tun
? (192.168.12.1) at <incomplete> on br-tun

ovs-vsctl show for the br-tun

Bridge br-tun
            Controller "tcp:127.0.0.1:6633"
                is_connected: true
            fail_mode: secure
            Port "gre-c0a80c6b"
                Interface "gre-c0a80c6b"
                    type: gre
                    options: {df_default="true", in_key ...
(more)
edit retag flag offensive close merge delete

Comments

for the ovs bridge "br-tun" I am cloning the mac address from the physical interface. Is this a problem to do?

tony.pearce gravatar imagetony.pearce ( 2018-02-01 01:54:49 -0600 )edit

i tested without cloning the mac and no change.

tony.pearce gravatar imagetony.pearce ( 2018-02-01 02:34:22 -0600 )edit

Perhaps you did that, but I would first check higher level stuff:

  • can instances reach the external NW?
  • can instances on different hosts reach each other?
  • can instances on different hosts and different tenant NWs reach each other?
  • Security group allows ICMP?
Bernd Bausch gravatar imageBernd Bausch ( 2018-02-01 06:35:44 -0600 )edit

I just re-deployed using vxlan and the same interface (br-tun) cannot ping anything on that interface after deployment. For the questions: - the instances cannot reach external network. Like I mentioned I can ping the routers interfaces, just not the instances i only have 1 compute host in

tony.pearce gravatar imagetony.pearce ( 2018-02-01 08:23:04 -0600 )edit

..in this setup so cant test different hosts at the moment :( security group is default, allows any ipv4 inbound. I cannot get an ssh session either.

When you try to ping the instance, the openstack router sends icmp reply "destination host unreachable"

Can you tell me - when the vxlan or gre

tony.pearce gravatar imagetony.pearce ( 2018-02-01 08:24:42 -0600 )edit

1 answer

Sort by ยป oldest newest most voted
0

answered 2018-02-01 23:55:58 -0600

tony.pearce gravatar image

I fixed it. First problem was that I was creating the br-tun interface bridge in my yaml file = believe that was incorrect. I also had a separate bridge called br-tenant which I have set for provider vlans and I thnk it was clashing as I saw some ovs-vsctl show output referencing this bridge. I renamed this bridge to br-vlans and redeployed.

I did finally have to edit the security group to allow icmp. Floaty IP now working. I can move on to the next item on the list.

Thanks Mr Bausch again for your help :)

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2018-02-01 00:48:09 -0600

Seen: 69 times

Last updated: Feb 01 '18