Ask Your Question
0

ping out working, ping in shows up on bridge but not target device

asked 2013-06-14 15:10:05 -0500

james.shimer gravatar image

updated 2013-06-17 15:53:29 -0500

smaffulli gravatar image

I'm able to use novnc into my cirros instance, and I can ping/ssh out of the instance. However I'm unable to ping/ssh into the instance. I've been able to find that the pings are not forwarded from egress VM bridge to the eggress VM interface. Does anyone have ideas for the next step in figuring out why the packet isn't forwarded from the VM's bridge to it's interface?

I used the tcpdump suggestions from the operations guide to see that ingress pings get to the bridge for the VM but do not show up on the interface. (obviously I can see the pings on both the bridge and the interface for egress pings).

root@omega4:~# nova --os-tenant-name demo show i1 | grep instance_name
| OS-EXT-SRV-ATTR:instance_name       | **instance-00000032**                                        |

root@omega3:~# grep bridge /etc/libvirt/qemu/**instance-00000032.xml**
    <interface type='bridge'>
      <source bridge='**qbr1d079331-0c**'/>

root@omega3:~# grep tap /etc/libvirt/qemu/**instance-00000032.xml**
      <target dev='**tap1d079331-0c**'/>

I can see the ICMP/pings come in on the bridge:

root@omega3:~# tcpdump -i **qbr1d079331-0c** icmp
tcpdump: WARNING: qbr1d079331-0c: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on qbr1d079331-0c, link-type EN10MB (Ethernet), capture size 65535 bytes
14:32:11.020274 IP usenshimejl2c.corp.emc.com > 10.5.5.2: ICMP echo request, id 1, seq 43, length 40
14:32:15.575436 IP usenshimejl2c.corp.emc.com > 10.5.5.2: ICMP echo request, id 1, seq 44, length 40
14:32:20.573448 IP usenshimejl2c.corp.emc.com > 10.5.5.2: ICMP echo request, id 1, seq 45, length 40
14:32:25.573645 IP usenshimejl2c.corp.emc.com > 10.5.5.2: ICMP echo request, id 1, seq 46, length 40

But they don’t make it over to the device (pings fail to show up!!!!):

root@omega3:~# tcpdump -i **tap1d079331-0c** icmp
tcpdump: WARNING: tap1d079331-0c: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tap1d079331-0c, link-type EN10MB (Ethernet), capture size 65535 bytes
<EOF>

I can see the ICMP/pings going out and back on both interfaces (as expected):

root@omega3:~# tcpdump -i **qbr1d079331-0c** icmp
tcpdump: WARNING: qbr1d079331-0c: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on qbr1d079331-0c, link-type EN10MB (Ethernet), capture size 65535 bytes
14:35:02.802150 IP 10.5.5.2 > usenshimejl2c.corp.emc.com: ICMP echo request, id 3842, seq 0, length 64
14:35:02.865863 IP usenshimejl2c.corp.emc.com > 10.5.5.2: ICMP echo reply, id 3842, seq 0, length 64
14:35:03.801353 IP 10.5.5.2 > usenshimejl2c.corp.emc.com: ICMP echo request, id 3842, seq 1, length 64
14:35:03.847489 IP usenshimejl2c.corp.emc.com > 10.5.5.2: ICMP echo reply, id 3842, seq 1, length 64
14:35:04.801517 IP 10.5.5.2 > usenshimejl2c.corp.emc.com: ICMP echo request, id ...
(more)
edit retag flag offensive close merge delete

1 answer

Sort by » oldest newest most voted
1

answered 2013-06-17 12:40:26 -0500

james.shimer gravatar image

updated 2013-06-17 15:54:32 -0500

smaffulli gravatar image

Answering my own question here. After looking at OpenStack Networking Administration Guide (bk-quantum-admin-guide-grizzly.pdf) Chapter 5 (Under the Hood). I found the tap device is the place Quantum implements the security profiles using iptables. Actually, the diagrams and explanations in that section were quite good.

The root cause of my issue appears to be that the security profile is not being configured for my VM. However I was able to enable forwarding of ICMP traffic by finding the chain associated with my tap device by looking at --physdev-in rules and adding an ACCEPT rule for ICMP at the top of the chain. This allowed pings to work but tells me that the metadata for security group is not being setup correctly. I used the following command to enable ping for debug.

iptables -I quantum-openvswi-i7e4158fd-d 1 -p icmp -j ACCEPT
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2013-06-14 15:10:05 -0500

Seen: 1,447 times

Last updated: Jun 17 '13