Cannot ping external network from tenant network

asked 2015-02-28 01:50:10 -0500

FISHKUN gravatar image



Hello,

I hava setup of 1 servers
Cannot ping external network from tenant network

thank you for your help!

==============================================
  TROUBLE CASE
==============================================
 CASE 1. instance 10.0.0.3 <-> br-ex            192.168.20.200 (ssh, ping OK!!!) 
 CASE 2. instance 10.0.0.3 <-> external network 192.168.20.1 (ssh, ping X)


[root@stack2 pkg(keystone_demo)]# nova list
+--------------------------------------+------+--------+------------+-------------+---------------------------------+
| ID                                   | Name | Status | Task State | Power State | Networks                        |
+--------------------------------------+------+--------+------------+-------------+---------------------------------+
| 39458cc1-020e-4fa6-a013-372a57a5643c | vm1  | ACTIVE | -          | Running     | private=10.0.0.3, 192.168.20.91 |
| 141c64dc-e156-4441-aea1-d9f0c8c359b6 | vm2  | ACTIVE | -          | Running     | private=10.0.0.4, 192.168.20.92 |
+--------------------------------------+------+--------+------------+-------------+---------------------------------+

[root@stack2 network(keystone_demo)]# nova secgroup-list-rules default
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| icmp        | -1        | -1      | 0.0.0.0/0 |              |
| tcp         | 22        | 22      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+


==========  CASE 1 ======================================

##################################
 HOST -> External gateway PING
##################################
[root@stack2 network-scripts(keystone_admin)]# ping -c3 192.168.20.1
PING 192.168.20.1 (192.168.20.1) 56(84) bytes of data.
64 bytes from 192.168.20.1: icmp_seq=1 ttl=64 time=0.295 ms
64 bytes from 192.168.20.1: icmp_seq=2 ttl=64 time=0.169 ms
64 bytes from 192.168.20.1: icmp_seq=3 ttl=64 time=0.240 ms

--- 192.168.20.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.169/0.234/0.295/0.054 ms


#########################################
 HOST -> instance(VM) Floating IP PING
#########################################
[root@stack2 network-scripts(keystone_admin)]# ping -c3 192.168.20.91
PING 192.168.20.91 (192.168.20.91) 56(84) bytes of data.
64 bytes from 192.168.20.91: icmp_seq=1 ttl=63 time=2.68 ms
64 bytes from 192.168.20.91: icmp_seq=2 ttl=63 time=0.218 ms
64 bytes from 192.168.20.91: icmp_seq=3 ttl=63 time=0.274 ms

--- 192.168.20.91 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms


#########################################
 HOST -> instance Floating IP ssh
#########################################
[root@stack2 network-scripts(keystone_admin)]# ssh cirros@192.168.20.91
cirros@192.168.20.91's password: 
$ sudo su
$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.0.1        0.0.0.0         UG    0      0        0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0

##########################
 instance -> br-ex PING
##########################
$ ping -c3 192.168.20.167
PING 192.168.20.167 (192.168.20.167): 56 data bytes
64 bytes from 192.168.20.167: seq=0 ttl=63 time=0.888 ms
64 bytes from 192.168.20.167: seq=1 ttl=63 time=0.571 ms
64 bytes from 192.168.20.167: seq=2 ttl=63 time=0.454 ms

--- 192.168.20.167 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.454/0.637/0.888 ms


###############################################
 instance -> external gateway PING ===> FAIL
###############################################
$ ping -c3 192.168.20.1
PING 192.168.20 ...
(more)
edit retag flag offensive close merge delete

Comments

can you show us the security group rules?

SGPJ gravatar imageSGPJ ( 2015-03-01 03:28:10 -0500 )edit

Security Groups

default
        ALLOW IPv4 22/tcp from 0.0.0.0/0
        ALLOW IPv6 to ::/0
        ALLOW IPv4 icmp from 0.0.0.0/0
        ALLOW IPv4 from default
        ALLOW IPv6 from default
        ALLOW IPv4 to 0.0.0.0/0
        ALLOW IPv4 icmp to 0.0.0.0/0
FISHKUN gravatar imageFISHKUN ( 2015-03-01 17:23:48 -0500 )edit

Hi,

if you can ping br-ex and cannot ping ext. gateway which is outside your machine, its problem of setting the gateway. I mean if your packet is reaching br-ex , there is no other way to stop that from going to extrernal network. 1 .Can you ping Ext gateway from br-ex? 2. take tcpdump -e at br-ex

ritesh.singh.aricent@gmail.com gravatar imageritesh.singh.aricent@gmail.com ( 2015-09-15 03:50:40 -0500 )edit