Ask Your Question
2

Neutron Router fails to access external network

asked 2015-01-14 05:40:14 -0500

PhilSmyth gravatar image

updated 2015-01-14 08:29:09 -0500

My setup is a three node Icehouse install, using Ubuntu 14.04 and using VLAN's on both the switch and neutron. An instance can be booted and receives an IP address from the demo-network. When a floating IP address is created and added to the instance, it is done without error. However when we try to ping the address, it says 'Destination Host Unreachable'.

Looking into the router namespace on the network node and pinging the instance, it can be accessed, however if I then attempt to access the network gateway, or another address on the network it brings up the same host unreachable message. This has led me to believe that the problem lies in the router getting access to the external network. Routing on the router namespace seems correct, however below are a few details to help.

ovs-vsctl show on the network node:

 Bridge br-ex
        Port br-ex
            Interface br-ex
                type: internal
        Port access
            tag: 1
            Interface access
                type: internal
        Port tunnel
            tag: 91
            Interface tunnel
                type: internal
        Port "em1"
            Interface "em1"
        Port manage
            tag: 90
            Interface manage
                type: internal
        Port phy-br-ex
            Interface phy-br-ex
        Port "qg-e0568127-66"
            Interface "qg-e0568127-66"
                type: internal
    Bridge br-int
        fail_mode: secure
        Port br-int
            Interface br-int
                type: internal
        Port int-br-ex
            Interface int-br-ex
        Port "tapc6621d51-92"
            tag: 1
            Interface "tapc6621d51-92"
        Port "qr-8518aa2a-53"
            tag: 1
            Interface "qr-8518aa2a-53"
                type: internal
    ovs_version: "2.0.2"

ovs-vsctl show on the compute node:

Bridge br-int
        fail_mode: secure
        Port "qvo2413c721-39"
            tag: 7
            Interface "qvo2413c721-39"
        Port int-br-ex
            Interface int-br-ex
        Port br-int
            Interface br-int
                type: internal
    Bridge br-ex
        Port br-ex
            Interface br-ex
                type: internal
        Port phy-br-ex
            Interface phy-br-ex
        Port tunnel
            tag: 91
            Interface tunnel
                type: internal
        Port manage
            tag: 90
            Interface manage
                type: internal
        Port "em1"
            Interface "em1"
        Port access
            tag: 1
            Interface access
                type: internal
    ovs_version: "2.0.2"

neutron router-show demo-router

+-----------------------+-----------------------------------------------------------------------------+
| Field                        | Value                                                                                    |
+-----------------------+-----------------------------------------------------------------------------+
| admin_state_up        | True                                                                                      |
| external_gateway_info | {"network_id": "5d3d7aeb-74d2-4dd9-b225-fcaae42f8491", "enable_snat": true} |
| id                            | af5defb3-489a-4b67-ac3f-dd106ef244f3                                   |
| name                       | demo-router                                                                           |
| routes                      |                                                                                              |
| status                       | ACTIVE                                                                                  |
| tenant_id             | 939df6198eba4f6fba7e9ca5ca4177dc                                            |
+-----------------------+-----------------------------------------------------------------------------+

As I said before we can ping and ssh from the router namespace on the network node, so the security group rules are fine, but without the router getting external access, the instance doesn't have external access either.

If anyone has any suggestions at solving this issue it would be appreciated.

[EDIT] Result of ip netns exec qrouter-xxx ip addr:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
34: qr-8518aa2a-53: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default 
    link/ether fa:16:3e:56:21:d4 brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.1/24 brd 192.168.100.255 scope global qr-8518aa2a-53
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fe56:21d4/64 scope link 
       valid_lft forever preferred_lft forever
35: qg-e0568127-66: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default 
    link/ether ...
(more)
edit retag flag offensive close merge delete

Comments

what did the following command say? ip netns exec qrouter-xxx ip addr ip netns exec qrouter-xxx route -n ip netns exec qrouter-xxx iptables -nvL

9lives gravatar image9lives ( 2015-01-14 06:36:08 -0500 )edit

Results of those commands are added to the question.

PhilSmyth gravatar imagePhilSmyth ( 2015-01-14 07:07:13 -0500 )edit

one more thing, what did the ifconfig em1 on both network and compute node say?

9lives gravatar image9lives ( 2015-01-14 07:58:08 -0500 )edit

there up as well, but may not be helpful as external access etc. is done through vlans

PhilSmyth gravatar imagePhilSmyth ( 2015-01-14 08:03:46 -0500 )edit

Could you post route -n on network node ?

dbaxps gravatar imagedbaxps ( 2015-01-14 08:13:27 -0500 )edit

2 answers

Sort by ยป oldest newest most voted
0

answered 2015-01-14 09:03:17 -0500

PhilSmyth gravatar image

Problem has been resolved, OVS had not been tagging the qg-xxx interface with tag=1, which meant the router could not get out onto the external network. By tagging the interface with tag 1, the interface and router can get out onto the network.

Thanks for your help. Hope this might help someone else at some point.

edit flag offensive delete link more

Comments

I M also facing same problem - Able to ping router using ip netns exec but can't do a normal ping. My question is here. Wat tag shld I try assign? Is ny tag good enough? thnx.!!

pravinjoshi95 gravatar imagepravinjoshi95 ( 2015-01-26 08:53:44 -0500 )edit
0

answered 2015-01-14 08:57:03 -0500

dbaxps gravatar image

updated 2015-01-14 08:59:31 -0500

Using answer field as comment to post sample
Your route -n on Network Node says , that you have problem with metadata access, which might be cause of your problem. Sample with routes to 169.254.0.0 net posted bellow:

[root@fedora21 ~(keystone_admin)]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 br-ex
169.254.0.0     0.0.0.0         255.255.0.0     U     1004   0        0 enp2s0
169.254.0.0     0.0.0.0         255.255.0.0     U     1006   0        0 br-ex
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-ex
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

Stats

Asked: 2015-01-14 05:40:14 -0500

Seen: 2,583 times

Last updated: Jan 14 '15