Packets can't go from router inner interface to vm

asked 2014-07-07 09:04:33 -0500

HoangDo gravatar image

updated 2014-07-07 09:34:57 -0500

I got a very strange behavior that drived me crazy a whole day:

  • I assign a VM with a floating IP.
  • From the VM, I can ping to the internet OK.
  • From the outside random host, I can't ping to the VM.

Then I start tcpdump to see waht happened. On neutron router:

sudo ip netns exec qrouter-f918cbb7-dc0c-4713-a6f5-3c66b46e12cf tcpdump -i qg-0103d6fa-31
15:58:09.913759 IP > ICMP echo request, id 47245, seq 126, length 64

sudo ip netns exec qrouter-f918cbb7-dc0c-4713-a6f5-3c66b46e12cf tcpdump -i qr-343ab2cb-f5

15:56:40.209776 IP > ICMP echo request, id 47245, seq 37, length 64
15:56:41.217209 IP > ICMP echo request, id 47245, seq 38, length 64
15:56:42.225567 IP > ICMP echo request, id 47245, seq 39, length 64

I got the ICMP request on both interfaces of the ex-router, so everything is OK.

But on the VM, I got no ICMP request, only get repeatively ARP request. The VM did reply its MAC address. I checked ARP table on router and found that it got MAC address of VM OK (

sudo ip netns exec qrouter-f918cbb7-dc0c-4713-a6f5-3c66b46e12cf arp                         
Address                  HWtype  HWaddress           Flags Mask            Iface          ether   00:07:b4:00:00:02   C                     qg-0103d6fa-31           ether   fa:16:3e:38:69:78   C                     qr-343ab2cb-f5

Strangely, the VM received no ICMP after all. I don't know how to debug this case any more. Please help me with some leads.

UPDATE: I don't know if it is the case or not: the mac address of the tap device (on compute node) and the corresponding interface on VM is off:


tap2e901035-a4 Link encap:Ethernet  HWaddr fe:16:3e:be:28:23

interface on VM:

HWaddr fa:16:3e:be:28:23
edit retag flag offensive close merge delete


Can you post ovs-vsctl show && brctl show on Compute node ?
$ip netns exec qdhcp-your-private-net-id ifconfig ( would give tap-xxxxxxx )
$ip netns exec qdhcp-your-private-net-id tspdump -ln -i tap-xxxxxxx

dbaxps gravatar imagedbaxps ( 2014-07-07 09:15:24 -0500 )edit

Bridge br-tunBridge br-tun
Port "gre-7f000001"
Interface "gre-7f000001"
type: gre
options: {in_key=flow, local_ip="", out_key=flow, remote_ip=""}
This entry seems strange to me . It may be removed

dbaxps gravatar imagedbaxps ( 2014-07-07 09:46:00 -0500 )edit

OK . Can you go to internet from within your VMs ( CirrOS for instance ) ?

dbaxps gravatar imagedbaxps ( 2014-07-07 10:54:15 -0500 )edit

You wrote : Yes, I can. If I ping from VM, both echo request reply go through
Can you run from within VM ?
$ ifconfig ( to get local ipv4)
$ curl ( or local-ipv4)
$ curl

dbaxps gravatar imagedbaxps ( 2014-07-07 11:08:22 -0500 )edit

Check one more time curl fails means that you instance fails to run cloud-init due to failure access metadata.

root@ubuntusrv0707:~# curl

It might be core reason of your problems. Metadata troubleshooting steps may be found here

dbaxps gravatar imagedbaxps ( 2014-07-08 03:34:13 -0500 )edit

2 answers

Sort by ยป oldest newest most voted

answered 2018-09-13 00:12:38 -0500

Routers route packets individually, based on the destination address, not the source address. A router doesn't know that any packet is a reply to any other packet. This can sometimes result in asymmetric routing. any issue regarding router get help from this (Belkin Support)

edit flag offensive delete link more

answered 2014-07-08 03:59:11 -0500

dbaxps gravatar image
Source tenant's credentials :-

$ neutron security-group-rule-create --protocol icmp \
  --direction ingress --remote-ip-prefix default

$ neutron security-group-rule-create --protocol tcp \
  --port-range-min 22 --port-range-max 22 \
  --direction ingress --remote-ip-prefix default
edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2014-07-07 09:04:33 -0500

Seen: 1,343 times

Last updated: Jul 08 '14