Ask Your Question

Packets can't go from router inner interface to vm

asked 2014-07-07 09:04:33 -0500

HoangDo gravatar image

updated 2014-07-07 09:34:57 -0500

I got a very strange behavior that drived me crazy a whole day:

  • I assign a VM with a floating IP.
  • From the VM, I can ping to the internet OK.
  • From the outside random host, I can't ping to the VM.

Then I start tcpdump to see waht happened. On neutron router:

sudo ip netns exec qrouter-f918cbb7-dc0c-4713-a6f5-3c66b46e12cf tcpdump -i qg-0103d6fa-31
15:58:09.913759 IP > ICMP echo request, id 47245, seq 126, length 64

sudo ip netns exec qrouter-f918cbb7-dc0c-4713-a6f5-3c66b46e12cf tcpdump -i qr-343ab2cb-f5

15:56:40.209776 IP > ICMP echo request, id 47245, seq 37, length 64
15:56:41.217209 IP > ICMP echo request, id 47245, seq 38, length 64
15:56:42.225567 IP > ICMP echo request, id 47245, seq 39, length 64

I got the ICMP request on both interfaces of the ex-router, so everything is OK.

But on the VM, I got no ICMP request, only get repeatively ARP request. The VM did reply its MAC address. I checked ARP table on router and found that it got MAC address of VM OK (

sudo ip netns exec qrouter-f918cbb7-dc0c-4713-a6f5-3c66b46e12cf arp                         
Address                  HWtype  HWaddress           Flags Mask            Iface          ether   00:07:b4:00:00:02   C                     qg-0103d6fa-31           ether   fa:16:3e:38:69:78   C                     qr-343ab2cb-f5

Strangely, the VM received no ICMP after all. I don't know how to debug this case any more. Please help me with some leads.

UPDATE: I don't know if it is the case or not: the mac address of the tap device (on compute node) and the corresponding interface on VM is off:


tap2e901035-a4 Link encap:Ethernet  HWaddr fe:16:3e:be:28:23

interface on VM:

HWaddr fa:16:3e:be:28:23
edit retag flag offensive close merge delete


Can you post ovs-vsctl show && brctl show on Compute node ?
$ip netns exec qdhcp-your-private-net-id ifconfig ( would give tap-xxxxxxx )
$ip netns exec qdhcp-your-private-net-id tspdump -ln -i tap-xxxxxxx

dbaxps gravatar imagedbaxps ( 2014-07-07 09:15:24 -0500 )edit

Bridge br-tunBridge br-tun
Port "gre-7f000001"
Interface "gre-7f000001"
type: gre
options: {in_key=flow, local_ip="", out_key=flow, remote_ip=""}
This entry seems strange to me . It may be removed

dbaxps gravatar imagedbaxps ( 2014-07-07 09:46:00 -0500 )edit

OK . Can you go to internet from within your VMs ( CirrOS for instance ) ?

dbaxps gravatar imagedbaxps ( 2014-07-07 10:54:15 -0500 )edit

You wrote : Yes, I can. If I ping from VM, both echo request reply go through
Can you run from within VM ?
$ ifconfig ( to get local ipv4)
$ curl ( or local-ipv4)
$ curl

dbaxps gravatar imagedbaxps ( 2014-07-07 11:08:22 -0500 )edit

Check one more time curl fails means that you instance fails to run cloud-init due to failure access metadata.

root@ubuntusrv0707:~# curl

It might be core reason of your problems. Metadata troubleshooting steps may be found here

dbaxps gravatar imagedbaxps ( 2014-07-08 03:34:13 -0500 )edit

2 answers

Sort by ยป oldest newest most voted

answered 2014-07-08 03:59:11 -0500

dbaxps gravatar image
Source tenant's credentials :-

$ neutron security-group-rule-create --protocol icmp \
  --direction ingress --remote-ip-prefix default

$ neutron security-group-rule-create --protocol tcp \
  --port-range-min 22 --port-range-max 22 \
  --direction ingress --remote-ip-prefix default
edit flag offensive delete link more

answered 2018-09-13 00:12:38 -0500

Routers route packets individually, based on the destination address, not the source address. A router doesn't know that any packet is a reply to any other packet. This can sometimes result in asymmetric routing. any issue regarding router get help from this (Belkin Support)

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2014-07-07 09:04:33 -0500

Seen: 1,410 times

Last updated: Jul 08 '14