Ask Your Question
0

TCP/SSH not working with VM

asked 2015-03-07 04:02:54 -0500

VenkatSwamy gravatar image

I have a three node Juno installation, 1 controller/neutron node, 2 compute nodes. I cannot SSH/TCP to VM. Following things are working fine: 1) Ping from both internal and external network to VM 2) SSH from host machines to VM 3) SSh from VM to external machine 4) TCP or HTTP from VM to external machine 5) UDP traffic from both internal and external network to VM

However whenever I try to make TCP connection or do SSH/HTTP connection to VM from external world, the TCP connection gets broken. I have created a security group with following parameters for the VM, which mean all traffic allowed: Rule : “Other Protocol” Direction: Ingress Ip Protocol : -1 Remote: CIDR CIDR: 0.0.0.0/0

The behaviour that I have observed is that the TCP connection gets successful first but immediately then a out-of-order TCP acknowledgement comes from external gateway IP (IP allocated to br-ex on neutron node) which causes the reset of the TCP connection.

Also I tried changing the MTU size from standard 1454 (dhcp-option-force=26,1454) to 1400 as suggested in some of the solution for similar problem, but changing to 1400 also did not helped.

This is happening with both sample Cirros OS or the Ubuntu Trusty image used for VM instantiation.

Kindly suggest what is the issue in my configuration and help resolve this issue. I cannot attach files as this is my first query on this list and do not have enough points to upload files.

edit retag flag offensive close merge delete

Comments

I would like you to upload somewhere tcpdump -vv -i eth0 ,running inside VM and capturing packets in connection/"connection failure" time frame

dbaxps gravatar imagedbaxps ( 2015-03-07 23:09:19 -0500 )edit

3 answers

Sort by » oldest newest most voted
0

answered 2015-03-08 03:45:52 -0500

dbaxps gravatar image

Using field as comment
You wrote :

However whenever I try to make TCP connection or do SSH/HTTP connection to VM from external world, the TCP connection gets broken. I have created a security group with following parameters for the VM, which mean all traffic allowed: Rule : “Other Protocol” Direction: Ingress Ip Protocol : -1 Remote: CIDR CIDR: 0.0.0.0/0

Please, just for test change security group. Remove your rules and allow only Ingress TCP port 22 (ssh) and Ingress Custom ICMP rule (-1,-1) and nothing else

edit flag offensive delete link more
0

answered 2015-03-08 03:02:54 -0500

VenkatSwamy gravatar image

updated 2015-03-08 04:12:20 -0500

Hi Boris, please find below the requested information

LOGS AT Client machine from where ssh is being tried:

$ ssh -v -i demo-kp-new.pem ubuntu@172.16.104.53 OpenSSH_5.8p1, OpenSSL 0.9.8r 8 Feb 2011

debug1: Connecting to 172.16.104.53 [172.16.104.53] port 22.

debug1: Connection established.

debug1: identity file demo-kp-new.pem type -1

debug1: identity file demo-kp-new.pem-cert type -1

tcpdump at VM running on 20.0.0.103, having floating IP 172.16.104.53

ubuntu@demo-new:~$ sudo tcpdump -vv -ln -i eth0|grep 10.203.147.172

sudo: unable to resolve host demo-new

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

10.203.147.172.64188 > 20.0.0.103.22: Flags [S], cksum 0x645c (correct), seq 2389692059, win 65535, options [mss 1460,nop,wscale 0,nop,nop,sackOK], length 0

20.0.0.103.22 > 10.203.147.172.64188: Flags [S.], cksum 0xb304 (incorrect -> 0x0ebe), seq 3914464745, ack 2389692060, win 28280, options [mss 1414,nop,nop,sackOK,nop,wscale 7], length 0

10.203.147.172.64188 > 20.0.0.103.22: Flags [.], cksum 0xbdda (correct), seq 1, ack 1, win 65535, length 0

20.0.0.103.22 > 10.203.147.172.64188: Flags [P.], cksum 0xb321 (incorrect -> 0x97a6), seq 1:42, ack 1, win 221, length 41

10.203.147.172.64188 > 20.0.0.103.22: Flags [R], cksum 0x4817 (correct), seq 2389692060, win 0, length 0

^C26 packets captured

28 packets received by filter

0 packets dropped by kernel

ubuntu@demo-new:~$

tcpdump at neutron node, 172.16.104.26 being the IP allocated to br-ex and gateway to external network.

root@controller-neutron:~# tcpdump -vv -ln -i br-ex|grep 172.16.104.53

tcpdump: listening on br-ex, link-type EN10MB (Ethernet), capture size 65535 bytes

172.16.104.53.22 > 10.203.147.172.64188: Flags [S.], cksum 0x0edf (correct), seq 3914464745, ack 2389692060, win 28280, options [mss 1                              414,nop,nop,sackOK,nop,wscale 7], length 0

172.16.104.26 > 172.16.104.53: ICMP redirect 10.203.147.172 to host 172.16.104.1, length 60

172.16.104.53.22 > 10.203.147.172.64188: Flags [S.], cksum 0x0edf (correct), seq 3914464745, ack 2389692060, win 28280, options [mss 1                              414,nop,nop,sackOK,nop,wscale 7], length 0

172.16.104.53.22 > 10.203.147.172.64188: Flags [S.], cksum 0x0edf (correct), seq 3914464745, ack 2389692060, win 28280, options [mss 1                              414,nop,nop,sackOK,nop,wscale 7], length 0

172.16.104.53.22 > 10.203.147.172.64188: Flags [P.], cksum 0x97c7 (correct), seq 1:42, ack 1, win 221, length 41

10.203.147.172.64188 > 172.16.104.53.22: Flags [R], cksum 0x4838 (correct), seq 2389692060, win 0, length 0

172.16.104.53.22 > 172.16.104.26.43110: Flags [P.], cksum 0xddb0 (correct), seq 2157221855:2157222691, ack 2371199779, win 307, option                              s [nop,nop,TS val 336465 ecr 516159842], length 836 ...
(more)
edit flag offensive delete link more

Comments

Could you do me a favor to format text via button with "numbers" in toolbar above the text area ?
I can format only your questions , but not answers ;)

dbaxps gravatar imagedbaxps ( 2015-03-08 03:21:04 -0500 )edit

Please , update your security rules as asked bellow in my answer field.

dbaxps gravatar imagedbaxps ( 2015-03-08 04:18:34 -0500 )edit

I did that, but same behavior as earlier. I removed the egress rules and kept only ingress as per your recommendations. There seems to be some issue of MTU and retranmission in Juno GRE tunneling as faced by others as well.

VenkatSwamy gravatar imageVenkatSwamy ( 2015-03-08 05:07:43 -0500 )edit

I tried the solutions mentioned by this link: http://www.gossamer-threads.com/lists/openstack/dev/43980 (http://www.gossamer-threads.com/lists...) , but this also didnt worked.

VenkatSwamy gravatar imageVenkatSwamy ( 2015-03-08 05:09:50 -0500 )edit

Juno works fine with VXLAN tunnels. Switch to VXLAN is not a problem. What GRE features are important to you ?

dbaxps gravatar imagedbaxps ( 2015-03-08 05:23:49 -0500 )edit
0

answered 2015-03-19 10:30:30 -0500

JICarretero gravatar image

updated 2015-03-20 01:57:30 -0500

The problem is the MTU. Inside the VM (maybe you can use the console to log in) you can set the mtu of the instance to 1400. So, to correct this problem in the living instance you have to lower the mtu.

 sudo ip link set eth0  mtu 1400

In your neutron controller, you must configure your dhcp_agent.ini

[DEFAULT]
....
dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf

And

echo dhcp-option-force=26,1400" >> /etc/neutron/dnsmasq-neutron.conf

Restart the neutron-server, neutron-dhcp-agent and the instances you create from this moment on will be accesible using ssh. And the existing instances will need a reboot.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-03-07 04:02:54 -0500

Seen: 1,014 times

Last updated: Mar 20 '15