Ask Your Question
0

SOS!!cannot ping br-ex in networknode with havana

asked 2014-03-11 05:40:09 -0500

seraphboy gravatar image

updated 2014-03-17 00:26:13 -0500

I have 3 nodes with neutron gre tunnelling, and I can assigned private and floating ip to instances. the only question is, the instance cannot get to internet.

1) I can ping the qg-xxxxx form instance, but failed form networknode, even in namespace qrouter-xxxxx.

2) I can ping the br-ex from networknode, but failed form instance.

both said ' Destination Host Unreachable '.

here is detail:

    root@network:~# ovs-vsctl show
        46755b2e-62fe-4f7c-b8ad-9f6c0cbd76a0
            Bridge br-ex        //IP:172.31.9.203
                Port "qg-03969b97-49"  // I can ping this form instance
                    Interface "qg-03969b97-49"
                        type: internal
                Port br-ex        // I cannot ping br-ex from instance 
                    Interface br-ex
                        type: internal
                Port "eth0"     // eth0 is in PROMISC MODE
                    Interface "eth0"
            Bridge br-tun
                ****
                ****
            Bridge br-int
                ****
                ****
 ovs_version: "1.10.2"


root@network:~# ip netns exec qrouter-xxxxx ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
8: qg-03969b97-49: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:66:4f:d4 brd ff:ff:ff:ff:ff:ff
    inet 172.31.9.210/24 brd 172.31.9.255 scope global qg-03969b97-49   //qg_IP
    iinet 172.31.9.211/32 brd 172.31.9.211 scope global qg-03969b97-49  //VM1_IP
    inet6 fe80::f816:3eff:fe3e:dd55/64 scope link
       valid_lft forever preferred_lft forever
12:  qr-ef4f5ddd-81: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:d1:c7:41 brd ff:ff:ff:ff:ff:ff
    inet 10.30.30.1/24 brd 10.30.30.255 scope global  qr-ef4f5ddd-81
    inet6 fe80::f816:3eff:fe58:ff3a/64 scope link
       valid_lft forever preferred_lft forever

the physic gateway_IP: 172.31.9.1, and I set it as my ext_net gateway

I think this may relate to namespace or br-ex(bridge and qg-xxx is not connect or something), anyone knows how to solve this problem ?

Thanks

****UPDATE******

ping form VM_1 (10.30.30.2/172.31.9.211) to physic gateway(172.31.9.1)

raw:PREROUTING:policy:2 IN=qr-ef4f5ddd-81 OUT= MAC=** SRC=10.30.30.2 DST=172.31.9.1 
TRACE: mangle:PREROUTING:policy:1 IN=qr-ef4f5ddd-81 OUT= MAC=** SRC=10.30.30.2 DST=172.31.9.1 
TRACE: nat:PREROUTING:rule:1 IN=qr-ef4f5ddd-81 OUT= MAC=** SRC=10.30.30.2 DST=172.31.9.1  
TRACE: nat:neutron-l3-agent-PREROUTING:return:3 IN=qr-ef4f5ddd-81 OUT= MAC=fa:16:3e:58:ff:3a:fa:16:3e:98:a6:bf:08:00 SRC=10.30.30.2 DST=172.31.9.1 
TRACE: nat:PREROUTING:policy:2 IN=qr-ef4f5ddd-81 OUT= MAC=** SRC=10.30.30.2 DST=172.31.9.1 
TRACE: mangle:FORWARD:policy:1 IN=qr-ef4f5ddd-81 OUT=qg-03969b97-49 MAC=**0 SRC=10.30.30.2 DST=172.31.9.1  
TRACE: filter:FORWARD:rule:1 IN=qr-ef4f5ddd-81 OUT=qg-03969b97-49 MAC=** SRC=10.30.30.2 DST=172.31.9.1 
TRACE ...
(more)
edit retag flag offensive close merge delete
add a comment

2 answers

Sort by » oldest newest most voted
1

answered 2014-03-12 02:10:48 -0500

kashyapc gravatar image

You ought to ensure you have your iptables rules are reflecting correctly. On a two node Icehouse-M1 set-up, with Neutron, GRE and OVS, here's what I have:

On Controller node:

$ cat /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m multiport --dports 3260 -m comment --comment "001 cinder incoming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 horizon incoming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment "001 keystone incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 3306 -m comment --comment "001 mariadb incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001 novncproxy incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8770:8780 -m comment --comment "001 novaapi incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5672 -m comment --comment "001 qpid incoming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001 metadata incoming" -j ACCEPT 
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5999 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p gre -j ACCEPT 
-A OUTPUT -p gre -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

On Compute node:

$ cat /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5999 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -p gre -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p gre -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
edit flag offensive delete link more

Comments

I checked my filter tables, and you can see them in update part. it seems our tables are different, but I think it is work, right?

seraphboy gravatar imageseraphboy ( 2014-03-12 04:16:08 -0500 )edit
add a comment
0

answered 2014-03-16 06:16:42 -0500

senyapsudah gravatar image

hi, i'm not sure if this help. happened to me before. but what i do is most probably restart the network interface. you might also need to temporary disable the admin state of the ports connected to the router and enabled it again. you can try to do it for both external interface and also network connected to vm. so far it works for me.

edit flag offensive delete link more

Comments

thank you, but it doesn't work:(

seraphboy gravatar imageseraphboy ( 2014-03-16 22:13:42 -0500 )edit
add a comment

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2014-03-11 05:40:09 -0500

Seen: 1,004 times

Last updated: Mar 17 '14

Related questions

Can't ping or ssh a VM

Multiple fixed address per instance

vxlan peers not being created on compute node (vm not getting dhcp)

Finding and deleting orphaned resources.

How to allow external access for vms

WARNING nova.virt.libvirt.driver

Icehouse Neutron ML2 (OVS & GRE) MTU Problem?

Issue using bridge_mappings with linuxbridge agent

can't ssh to instance

No br-int for compute node