Packets not leaving compute host
I am having an unusual issue with networking behavior in my environment (Fedora 20/Icehouse/RDO). My VMs are booting up, they are being assigned IPs by DHCP (as shown by nova list), but none of the VMs are getting IP addresses assigned. The issue appears to be that no packets are actually leaving the compute host.
Here are some of the steps I took to check.
Login to vm console and manually issue udhcpc (cirros image). I see bootp packets in the tcpdump trace of phy-br-eth1, but I do not see them in the tcpdump of phy-br-eth1 on the network node.
On local compute node:
[root@aragorn arunt]# tcpdump -i phy-br-eth1 tcpdump: WARNING: phy-br-eth1: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on phy-br-eth1, link-type EN10MB (Ethernet), capture size 65535 bytes 23:57:25.288979 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from fa:16:3e:26:fa:5d (oui Unknown), length 280 23:57:28.301814 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from fa:16:3e:26:fa:5d (oui Unknown), length 280 23:57:31.308918 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from fa:16:3e:26:fa:5d (oui Unknown), length 280
Manually configure the IP address of the VM on the link. Ping another manually configured VM on the same compute host. Ping works.
Ping another manually configured VM on another compute node, ping does not work. The ICMP packet is seen on phy-br-eth1 of the compute host in question, but not on phy-br-eth1 of the other compute node.
security groups and rules seem to be in place.
[root@grey utils]# nova secgroup-list-rules default +-------------+-----------+---------+------------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+------------+--------------+ | | | | | default | | icmp | -1 | -1 | 0.0.0.0/24 | | | | | | | default | | tcp | 22 | 22 | 0.0.0.0/24 | | +-------------+-----------+---------+------------+--------------+
I am using openvswitch and not ml2.
Any inputs are greatly appreciated.
can you check iptables rules that is getting applied to tap interfaces. using: iptables -L and see whether there are any drop rule. Also try disabling neutron security group and create a new vm for testing.
Thanks Shankar Ganesh. My iptables rule seem to be fine with no drops listed. I went ahead and disabled iptables and neutron security groups while switching all my services to use the Noop driver. Still no luck.