Ask Your Question
0

SOS!!cannot ping br-ex in networknode with havana

asked 2014-03-11 05:40:09 -0600

seraphboy gravatar image

updated 2014-03-17 00:26:13 -0600

I have 3 nodes with neutron gre tunnelling, and I can assigned private and floating ip to instances. the only question is, the instance cannot get to internet.

1) I can ping the qg-xxxxx form instance, but failed form networknode, even in namespace qrouter-xxxxx.

2) I can ping the br-ex from networknode, but failed form instance.

both said ' Destination Host Unreachable '.

here is detail:

    root@network:~# ovs-vsctl show
        46755b2e-62fe-4f7c-b8ad-9f6c0cbd76a0
            Bridge br-ex        //IP:172.31.9.203
                Port "qg-03969b97-49"  // I can ping this form instance
                    Interface "qg-03969b97-49"
                        type: internal
                Port br-ex        // I cannot ping br-ex from instance 
                    Interface br-ex
                        type: internal
                Port "eth0"     // eth0 is in PROMISC MODE
                    Interface "eth0"
            Bridge br-tun
                ****
                ****
            Bridge br-int
                ****
                ****
 ovs_version: "1.10.2"


root@network:~# ip netns exec qrouter-xxxxx ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
8: qg-03969b97-49: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:66:4f:d4 brd ff:ff:ff:ff:ff:ff
    inet 172.31.9.210/24 brd 172.31.9.255 scope global qg-03969b97-49   //qg_IP
    iinet 172.31.9.211/32 brd 172.31.9.211 scope global qg-03969b97-49  //VM1_IP
    inet6 fe80::f816:3eff:fe3e:dd55/64 scope link
       valid_lft forever preferred_lft forever
12:  qr-ef4f5ddd-81: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:d1:c7:41 brd ff:ff:ff:ff:ff:ff
    inet 10.30.30.1/24 brd 10.30.30.255 scope global  qr-ef4f5ddd-81
    inet6 fe80::f816:3eff:fe58:ff3a/64 scope link
       valid_lft forever preferred_lft forever

the physic gateway_IP: 172.31.9.1, and I set it as my ext_net gateway

I think this may relate to namespace or br-ex(bridge and qg-xxx is not connect or something), anyone knows how to solve this problem ?

Thanks

****UPDATE******

ping form VM_1 (10.30.30.2/172.31.9.211) to physic gateway(172.31.9.1)

raw:PREROUTING:policy:2 IN=qr-ef4f5ddd-81 OUT= MAC=** SRC=10.30.30.2 DST=172.31.9.1 
TRACE: mangle:PREROUTING:policy:1 IN=qr-ef4f5ddd-81 OUT= MAC=** SRC=10.30.30.2 DST=172.31.9.1 
TRACE: nat:PREROUTING:rule:1 IN=qr-ef4f5ddd-81 OUT= MAC=** SRC=10.30.30.2 DST=172.31.9.1  
TRACE: nat:neutron-l3-agent-PREROUTING:return:3 IN=qr-ef4f5ddd-81 OUT= MAC=fa:16:3e:58:ff:3a:fa:16:3e:98:a6:bf:08:00 SRC=10.30.30.2 DST=172.31.9.1 
TRACE: nat:PREROUTING:policy:2 IN=qr-ef4f5ddd-81 OUT= MAC=** SRC=10.30.30.2 DST=172.31.9.1 
TRACE: mangle:FORWARD:policy:1 IN=qr-ef4f5ddd-81 OUT=qg-03969b97-49 MAC=**0 SRC=10.30.30.2 DST=172.31.9.1  
TRACE: filter:FORWARD:rule:1 IN=qr-ef4f5ddd-81 OUT=qg-03969b97-49 MAC=** SRC=10.30.30.2 DST=172.31.9.1 
TRACE ...
(more)
edit retag flag offensive close merge delete
add a comment

2 answers

Sort by » oldest newest most voted
1

answered 2014-03-12 02:10:48 -0600

kashyapc gravatar image

You ought to ensure you have your iptables rules are reflecting correctly. On a two node Icehouse-M1 set-up, with Neutron, GRE and OVS, here's what I have:

On Controller node:

$ cat /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m multiport --dports 3260 -m comment --comment "001 cinder incoming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 horizon incoming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment "001 keystone incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 3306 -m comment --comment "001 mariadb incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001 novncproxy incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8770:8780 -m comment --comment "001 novaapi incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5672 -m comment --comment "001 qpid incoming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001 metadata incoming" -j ACCEPT 
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5999 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p gre -j ACCEPT 
-A OUTPUT -p gre -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

On Compute node:

$ cat /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5999 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -p gre -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p gre -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
edit flag offensive delete link more

Comments

I checked my filter tables, and you can see them in update part. it seems our tables are different, but I think it is work, right?

seraphboy gravatar imageseraphboy ( 2014-03-12 04:16:08 -0600 )edit
add a comment
0

answered 2014-03-16 06:16:42 -0600

senyapsudah gravatar image

hi, i'm not sure if this help. happened to me before. but what i do is most probably restart the network interface. you might also need to temporary disable the admin state of the ports connected to the router and enabled it again. you can try to do it for both external interface and also network connected to vm. so far it works for me.

edit flag offensive delete link more

Comments

thank you, but it doesn't work:(

seraphboy gravatar imageseraphboy ( 2014-03-16 22:13:42 -0600 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2014-03-11 05:40:09 -0600

Seen: 897 times

Last updated: Mar 17 '14

Related questions

How to specify multiple interface mappings for LinuxBridge plugin?

Neutron net-create: Unable to create the network. No tenant network is available for allocation.

VMs not getting IP through DHCP private 10.x network unreachable

Neutron/openvswitch not working, how to debug

Neutron unable to add same subnet in diffrent projects

Instance not getting IP

can't ssh to instance

help for openstack uninstall

Instances dnsdomainname not set

Error received from ovsdb monitor