Ask Your Question

VMs on subnet suffer IGMP timeouts.

asked 2014-08-28 17:04:42 -0500

cnkcb gravatar image

Havana + neutron + vswitch:

Via Horizon dashboard, I created a network with a 10.16.1/24 subnet, disabled gateway, enabled dhcp with range, Then I launched 2 trusty instances, each with two NICS; eth0 for my regular public interface, and eth1 for the 10.16.1/24 subnet. I installed mgen and configured complementary mgen scripts to have the two exchange 1 multicast message per second for 360 seconds. One VM stops receiving packets after 260 seconds (the IGMP Snooping Group Timeout?). The other VM keeps receiving messages for the entire period.

Using wireshark, I captured the IGMP traffic at each VM (not enough points to attach images, yet). The successful VM sees and responds to IGMP Membership queries. The failing VM never sees those queries, hence the timeout, hence the missing data.

I'm guessing this is a firewall issue - keeping the failing VM from seeing the queries. If so, how can I open the firewall for all VMs, so I don't have to do this for each affected VM (many) of each affected tenant (also many)?

edit retag flag offensive close merge delete


two random ideas: - write a script to add rules to the security groups? - modify default security group and allow what you want?

T u l gravatar imageT u l ( 2014-08-29 03:04:31 -0500 )edit

Both VMs get the same default security group settings - so I don't know why one would work OK, and the other would block IGMP unless that is a feature of the neutron/vswitch software. What are the correct security group settings to allow IGMP? There's no selection for "All IGMP".

cnkcb gravatar imagecnkcb ( 2014-08-29 11:08:09 -0500 )edit

Duplicate: (Duplicate) - though now answer there either.

cnkcb gravatar imagecnkcb ( 2014-08-29 11:10:55 -0500 )edit

Duplicate: (Duplicate) - no answer...

cnkcb gravatar imagecnkcb ( 2014-08-29 11:33:36 -0500 )edit

1 answer

Sort by ยป oldest newest most voted

answered 2014-08-29 12:05:36 -0500

cnkcb gravatar image

updated 2014-08-29 12:06:49 -0500

Thanks to @T-u-l for pointing me in the right direction. I figured out the firewall rule I needed to add.

In Havana/Horizon Access & Security, edit defauld rules and add a new rule;

  • Rule: Other Protocol
  • Direction: Ingress
  • IP Protocol: 2
  • Remote: CIDR
  • CIDR:
edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-08-28 17:04:42 -0500

Seen: 462 times

Last updated: Aug 29 '14