Icehouse Neutron ML2 (OVS & GRE) MTU Problem?

asked 2014-08-06 20:10:49 -0600

stacker_filo_23 gravatar image

Hi all,

I have built an OpenStack IceHouse cluster on Ubuntu 14.04 by following the instructions (here).

My environment looks like the following:

  1. One (1) Controller node
  2. One (1) Network node
  3. Three (3) Compute nodes

This (diagram) depicts how OpenStack services are distributed on the nodes.

I can launch VMs on a tenant network. They successfully get an IP on the internal network via dhcp. I can successfully attach a floating IP public to the VMs. I can ping both the internal and floating IPs. So far so good.

Now my problems:

  1. I can't ssh into the instances. ssh -v shows connection but just hangs.
  2. During bootup, the VMs can't reach the metadata server at . No key injection. Explains #1.

But after bootup, I can get into a cirros image through console and curl successfully. The VM can also reach the outside world (the internet). I can resolve IP's using google's But telnet 80 fails.

Searching this forum, I have found two clues:

  1. The known MTU problem. Something like (this). But the fix of trying to set VM MTU to 1400 is not working. Cirros doesn't respect mtu via DHCP. On the other Ubuntu images, I can't login to check.
  2. Metadata proxy server misconfiguration. I've gone over this several times and I can't note a misconfiguration. All logs seem to show successful metadata being given out.

Here are some pertinent config files from the environment:

nova.conf from Controller node

root@controller:~# cat /etc/nova/nova.conf
root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf
rpc_backend = rabbit
rabbit_host = controller
rabbit_password = Fusiondc10!
my_ip =
vncserver_listen =
vncserver_proxyclient_address =
auth_strategy = keystone
network_api_class =
neutron_url = http://controller:9696
neutron_auth_strategy = keystone
neutron_admin_tenant_name = service
neutron_admin_username = neutron
neutron_admin_password = Fusiondc10!
neutron_admin_auth_url = http://controller:35357/v2.0
linuxnet_interface_driver =
firewall_driver = nova.virt.firewall.NoopFirewallDriver
security_group_api = neutron
service_neutron_metadata_proxy = true
neutron_metadata_proxy_shared_secret = e773b738013e04efd8f1

connection = mysql://nova:Fusiondc10!@controller/nova

auth_uri = http://controller:5000
auth_host = controller
auth_port = 35357
auth_protocol = http
admin_tenant_name = service
admin_user = nova
admin_password = Fusiondc10!

neutron.conf on Network Server

root@neutron1:~# egrep -v '^$|^#' /etc/neutron/neutron.conf
verbose = True
state_path = /var/lib/neutron
lock_path = $state_path/lock
bind_host = ...
edit retag flag offensive close merge delete


Here is more info I found that points towards an MTU fragmentation issue. Here is what happens in tcpdump when I'm doing curl to from my cirros guest. It returns successfully. But it takes about 3 minutes. This causes the timeout during boot up.

I see tons of cksum (incorrect) and [DF] "do not fragment" flags. Changing the mtu of the VM doesn't help.

   root@neutron1:~# ip netns exec qrouter-8c781c2b-44ee-4e85-913d-20499dcce34f tcpdump -vv -i qr-930b8a5f-62 host > Flags [P.], cksum 0x1689 (incorrect -> 0x2b46), seq 4294966204:4294966367, ack 1, win 1700, options [nop,nop,TS val 309904 ecr 91698904], length 163
    23:43:50.168433 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60) > ...
stacker_filo_23 gravatar imagestacker_filo_23 ( 2014-08-07 02:02:37 -0600 )edit

have you had any success in solving this issue?

aw00kie gravatar imageaw00kie ( 2014-08-20 18:06:30 -0600 )edit

I finally made it worked last week by clean installing under the updated OpenStack Installation Guide for Ubuntu per Sep 19, 2014. There was an addition to the dhcp_agent.ini on Network node regarding the MTU. All is good.:)

chrone gravatar imagechrone ( 2014-09-24 00:06:12 -0600 )edit

1 answer

Sort by ยป oldest newest most voted

answered 2014-08-07 04:01:41 -0600

foexle gravatar image


some hint:


libvirt_inject_partition=-1 should be -2
libvirt_inject_key=false => true
libvirt_nonblocking = True
vif_plugging_timeout = 0

please post your plugin configuration file (ml2) and metadata. In addition check if your metadata secret in all config files are the same.

Ahh not to forget, check your sec rules :) you need to open http/https to the outside otherwise your vm can't communicate with metadata service.

Cheers Heiko

edit flag offensive delete link more


Thank you for the response, mate.

  1. I had attached ml2_conf.ini and metadata_agent.ini to my originalpost. Hit (more).
  2. I made the nova.conf edits you suggested. It didn't help. That was for ceph (to avoid filesystem injection and to rely on cloud-init instead).
  3. Security rules are in place.
stacker_filo_23 gravatar imagestacker_filo_23 ( 2014-08-07 14:58:43 -0600 )edit

What happens when you set MTU size to 1400 from within the Cirros VM? Login from console and set the MTU. FYI... I have the same issue. On Ubuntu I enabled root login and set a password before uploading it into glance so I could login from the console.

jay-janardhan gravatar imagejay-janardhan ( 2014-08-07 15:36:53 -0600 )edit

Setting the MTU to 1400 within CirrOS doesn't seem to improve things. I wish that trick had worked for me. I have my dhcp_conf.ini set so that it will give all VMs 1400 MTU. Not sure if it's working on Ubuntu images or not. I'm going to try your method of uploading a root'able Ubuntu image to glace. Clever.

stacker_filo_23 gravatar imagestacker_filo_23 ( 2014-08-07 15:48:10 -0600 )edit

Could you paste: /etc/neutron/dnsmasq/dnsmasq-neutron.conf you can try: dhcp-option-force=26,1454

foexle gravatar imagefoexle ( 2014-08-08 02:54:51 -0600 )edit

HI Foexle, Here is my dnsmasq-neutron.conf file. I've tried both 1400 and 1450 to no avail.

root@neutron1:~# cat /etc/neutron/dnsmasq/dnsmasq-neutron.conf
stacker_filo_23 gravatar imagestacker_filo_23 ( 2014-08-08 13:22:17 -0600 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2014-08-06 20:10:49 -0600

Seen: 2,017 times

Last updated: Aug 07 '14