openstack neutron ovs external network not reachable

asked 2020-04-16 09:07:04 -0500

ahabib gravatar image

Hello

i'm new here so i have installed openstack manually and had an issue as follows. i followed the official install guide for openstack train and self service with ovs and everything seems to work except one thing external networks.

i cant ping any IP external other than the one assigned to the neutron br-provider i have been doing debugging on different name spaces and i can't figure whats wrong. i have connected 2 private networks to a router and tested communication between instances on same host and different compute hosts that worked but connecting a private network to a router with another external network as gateway and floating IPs won't ping any ip other than neutron node (br-provider) interface 10.65.6.29 instances inside cant ping the gateway or other hosts on the physical network that im using as external please find below config contents for neutron modules on controller,network and compute nodes i have assigned br-provider an IP manually with ifconfig (br-provider is the bridge name i used for external bridge on ovs) following is the output for ovs-vsctl show command:

[root@Neutron ~]# ovs-vsctl show
5ab40f37-5ae4-48ad-92be-c2a2b0659234
    Manager "ptcp:6640:127.0.0.1"
        is_connected: true
    Bridge br-int
        Controller "tcp:127.0.0.1:6633"
            is_connected: true
        fail_mode: secure
        datapath_type: system
        Port "tap96feb649-57"
            tag: 6
            Interface "tap96feb649-57"
                type: internal
        Port "qr-ddca8fbb-b4"
            tag: 1
            Interface "qr-ddca8fbb-b4"
                type: internal
        Port "qr-017caf07-d1"
            tag: 7
            Interface "qr-017caf07-d1"
                type: internal
        Port "qg-84564d0c-78"
            tag: 6
            Interface "qg-84564d0c-78"
                type: internal
        Port "tapa05a825d-56"
            tag: 2
            Interface "tapa05a825d-56"
                type: internal
        Port br-int
            Interface br-int
                type: internal
        Port int-br-provider
            Interface int-br-provider
                type: patch
                options: {peer=phy-br-provider}
        Port patch-tun
            Interface patch-tun
                type: patch
                options: {peer=patch-int}
        Port "qg-f66ba620-d9"
            tag: 4095
            Interface "qg-f66ba620-d9"
                type: internal
        Port "tapa70c6aed-db"
            tag: 7
            Interface "tapa70c6aed-db"
                type: internal
        Port "tap6ee2f60a-1f"
            tag: 3
            Interface "tap6ee2f60a-1f"
                type: internal
        Port "tap946bc635-91"
            tag: 1
            Interface "tap946bc635-91"
                type: internal
    Bridge br-provider
        Controller "tcp:127.0.0.1:6633"
            is_connected: true
        fail_mode: secure
        datapath_type: system
        Port phy-br-provider
            Interface phy-br-provider
                type: patch
                options: {peer=int-br-provider}
        Port "ens161"
            Interface "ens161"
        Port br-provider
            Interface br-provider
                type: internal
    Bridge br-tun
        Controller "tcp:127.0.0.1:6633"
            is_connected: true
        fail_mode: secure
        datapath_type: system
        Port br-tun
            Interface br-tun
                type: internal
        Port "vxlan-0a14141b"
            Interface "vxlan-0a14141b"
                type: vxlan
                options: {df_default="true", egress_pkt_mark="0", in_key=flow, local_ip="10.20.20.29", out_key=flow, remote_ip="10.20.20.27"}
        Port patch-int
            Interface patch-int
                type: patch
                options: {peer=patch-tun}
        Port "vxlan-0a14141a"
            Interface "vxlan-0a14141a"
                type: vxlan
                options: {df_default="true", egress_pkt_mark="0", in_key=flow, local_ip="10.20.20.29", out_key=flow, remote_ip="10.20.20.26"}
    ovs_version: "2.12.0"

external network conf

Name
external
ID
67f0d0d1-392f-402e-bff6-2cf008050029
Project ID
8c79bb4e38074276886e7a8effc6c966
Status
Active
Admin State
UP
Shared
Yes
External Network
Yes
MTU
1500
Provider Network
Network Type: flat
Physical Network: provider
Segmentation ID: -

Name
    external-subnet
    ID
    8e410b3b-f647-45b3-abfb-ca99b518dcd9
    Project ID
    8c79bb4e38074276886e7a8effc6c966
    Network Name
    external
    Network ID
    67f0d0d1-392f-402e-bff6-2cf008050029
    Subnet Pool
    None
    IP Version
    IPv4
    CIDR
    10.65.6.0/24
    IP Allocation Pools
    Start 10.65.6.50 - End 10.65.6 ...
(more)
edit retag flag offensive close merge delete

Comments

Did you allow traffic in the security-group?

eblock gravatar imageeblock ( 2020-04-16 10:47:37 -0500 )edit

i did add security-group icmp and trying to ping other instances or even the network node worked so i guess ping.

ahabib gravatar imageahabib ( 2020-04-19 02:59:30 -0500 )edit

2 answers

Sort by ยป oldest newest most voted
1

answered 2020-04-20 04:50:51 -0500

ashkot83 gravatar image

-do a tcpdump on the instance and see if you get any traffic hits to the ip interface that is attached to the floating ip. 1) if you see traffic coming inside then your SNAT is working, you might want to allow egress traffic on instance security group. 2) if you dont see traffic coming inside then you need to allow ingress rules on the instance security group 3) if you feel this is all good, then try setting "port_security_enabled" false for private and external network port and see if it works.

edit flag offensive delete link more

Comments

thanks for your reply as you can see it was fixed

ahabib gravatar imageahabib ( 2020-04-23 05:21:54 -0500 )edit
1

answered 2020-04-22 06:59:22 -0500

ahabib gravatar image

UPDATE !!!

i got it fixed it seems my problem was that all my environment is built on VMware so i had to enable promiscuous mode on the external Vswitch following link helped to me https://ask.openstack.org/en/question/61418/cannot-ping-any-neutron-router-interface/ (https://ask.openstack.org/en/question...) user dbaxps was the answer

Many thanks for everyone

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

Stats

Asked: 2020-04-16 09:07:04 -0500

Seen: 171 times

Last updated: Apr 16