Ask Your Question
1

Instance cannot connect to external network

asked 2015-04-15 05:04:03 -0500

tjiagoM gravatar image

updated 2015-04-21 05:19:50 -0500

Hello,

I am following this http://docs.openstack.org/juno/install-guide/install/apt/content/launch-instance-neutron.html (official tutorial)

I am in the part where I should check the external network connection and I have this:

$ ping -c 4 openstack.org
ping: bad address 'openstack.org'
$ ping -c 4 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

I cannot edit /etc/resolv.conf because it seems CirrOS doesn't have package manager nor any kind of text editor...

I can ping the router with the internal IP (192.168.1.1) and external IP (192.168.102.230), but I cannot ping the other IPs I already mentioned.

Here it is my network topology: http://imgur.com/vOUt3rz

How can I solve this? As I am following an official tutorial shouldn't the instance already have these issues solved?

---- UPDATE ---

Here there are some outputs:

# neutron router-show demo-router
+-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field                 | Value                                                                                                                                                                                       |
+-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| admin_state_up        | True                                                                                                                                                                                        |
| distributed           | False                                                                                                                                                                                       |
| external_gateway_info | {"network_id": "6db14247-e65d-4ebd-81dc-c914188d809b", "enable_snat": true, "external_fixed_ips": [{"subnet_id": "5272a1b6-7d77-4b3b-94dd-9ae5edfc3106", "ip_address": "192.168.102.230"}]} |
| ha                    | False                                                                                                                                                                                       |
| id                    | 839f7340-2b30-4ae3-ad97-38dbeeeff5f7                                                                                                                                                        |
| name                  | demo-router                                                                                                                                                                                 |
| routes                |                                                                                                                                                                                             |
| status                | ACTIVE                                                                                                                                                                                      |
| tenant_id             | c52dc6f7c1c04f9ca6f22d00ce811d19                                                                                                                                                            |
+-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

And next:

# neutron subnet-show ext-subnet
+-------------------+--------------------------------------------------------+
| Field             | Value                                                  |
+-------------------+--------------------------------------------------------+
| allocation_pools  | {"start": "192.168.102.230", "end": "192.168.102.240"} |
| cidr              | 192.168.102.0/24                                       |
| dns_nameservers   |                                                        |
| enable_dhcp       | False                                                  |
| gateway_ip        | 192.168.102.254                                        |
| host_routes       |                                                        |
| id                | 5272a1b6-7d77-4b3b-94dd-9ae5edfc3106                   |
| ip_version        | 4                                                      |
| ipv6_address_mode |                                                        |
| ipv6_ra_mode      |                                                        |
| name              | ext-subnet                                             |
| network_id        | 6db14247-e65d-4ebd-81dc-c914188d809b                   |
| tenant_id         | c52dc6f7c1c04f9ca6f22d00ce811d19                       |
+-------------------+--------------------------------------------------------+

--- UPDATE 2 ----

Output of ovs-vsctl show:

Bridge "br-eth1"
    Port "phy-br-eth1"
        Interface "phy-br-eth1"
            type: patch
            options: {peer="int-br-eth1"}
    Port "eth1"
        Interface "eth1"
    Port "br-eth1"
        Interface "br-eth1"
            type: internal
Bridge br-int
    fail_mode: secure
    Port patch-tun
        Interface patch-tun
            type: patch
            options: {peer=patch-int}
    Port "tap950d8019-fa"
        Interface "tap950d8019-fa"
            type: internal
    Port "qr-d72ce566-06"
        Interface "qr-d72ce566-06"
            type: internal
    Port "qvod8719add-76"
        Interface "qvod8719add-76"
    Port "qvo341d5b86-4d"
        Interface "qvo341d5b86-4d"
    Port br-int
        Interface br-int
            type: internal
    Port int-br-ex
        Interface int-br-ex
            type: patch
            options: {peer=phy-br-ex}
    Port "int-br-eth1"
        Interface "int-br-eth1"
            type: patch
            options: {peer="phy-br-eth1"}
Bridge br-tun
    Port br-tun
        Interface br-tun
            type: internal
    Port patch-int
        Interface patch-int
            type: patch
            options: {peer=patch-tun}
Bridge br-ex
    Port br-ex
        Interface br-ex
            type: internal
    Port "qg-0aa518a3-3e"
        Interface "qg-0aa518a3-3e"
            type: internal
    Port "eth0"
        Interface "eth0"
    Port phy-br-ex
        Interface phy-br-ex
            type: patch
            options: {peer=int-br-ex}
ovs_version: "2.0.2"

Output of cat /etc/neutron/neutron.conf:

[DEFAULT]
#core_plugin = neutron.plugins.ml2.plugin.Ml2Plugin
core_plugin = ml12
notification_driver=neutron.openstack.common.notifier.rpc_notifier
verbose=True
rpc_backend = rabbit
rabbit_host = 192.168.102.208
rabbit_password = rabbit
#service_plugins=neutron.services.l3_router.l3_router_plugin.L3RouterPlugin
service_plugins = router
allow_overlapping_ips = True
auth_strategy=keystone
neutron_metadata_proxy_shared_secret=openstack
service_neutron_metadata_proxy=True
nova_admin_password=nova_pass
notify_nova_on_port_data_changes=True
notify_nova_on_port_status_changes=True
nova_admin_auth_url=http://192.168.102.208:35357/v2.0
nova_admin_tenant_id=service
nova_url=http://192.168.102.208:8774/v2
nova_admin_username=nova


[keystone_authtoken]
#auth_host = 192.168.102.208
#auth_port = 35357
#auth_protocol = http
auth_uri = http://192.168.102.208:5000/v2.0
identity_uri = http://192.168.102.208:35357
admin_tenant_name = service
admin_user = neutron
admin_password = neutron_pass
signing_dir = $state_path/keystone-signing

notify_nova_on_port_status_changes = True
notify_nova_on_port_data_changes = True
nova_url = http://192.168.102.208:8774
nova_admin_username ...
(more)
edit retag flag offensive close merge delete

Comments

Did you use a real GW when creating the external subnet? See here

Antonio G. gravatar imageAntonio G. ( 2015-04-15 07:38:48 -0500 )edit
1

1.When you created private subnet on which CirrOS VM is running , did you define IP of DNS Server of local ISP ?
2. From within VM run :- $ curl http://169.254.169.254/latest/meta-data

dbaxps gravatar imagedbaxps ( 2015-04-15 07:43:55 -0500 )edit

You are not supposed to run any route add ... from within VM. It should work automatically after log into VM.

dbaxps gravatar imagedbaxps ( 2015-04-15 07:47:03 -0500 )edit

Output from the following two commands would be helpful

neutron router-show demo-router

neutron subnet-show ext-subnet
jjulien gravatar imagejjulien ( 2015-04-15 08:49:55 -0500 )edit

@Antonio G., I followed the link you gave, so I used the gateway of the real network. @dbaxps, I cannot edit /etc/resolv.conf so I didn't define any IP of DNS. I know I'm not supposed to run any "route", however, it didn't come automatically... @jjulien, I will edit my question with the outputs.

tjiagoM gravatar imagetjiagoM ( 2015-04-15 16:40:29 -0500 )edit

7 answers

Sort by ยป oldest newest most voted
0

answered 2015-06-30 03:13:47 -0500

abhishek-talwar gravatar image

Hi,

I am facing the same issue did we get any solution for this issue ?

edit flag offensive delete link more

Comments

I could not found a suitable solution. I abandoned the idea of having OpenStack running directly in a single physical node.

tjiagoM gravatar imagetjiagoM ( 2015-07-02 12:11:52 -0500 )edit

Having similar issues ... installing an all-in-one packstack in a virtualbox is a no go when trying to connect from cirros to anything outside the virtualbox environment. Tried so many suggestions and still pulling my hair. There is no proper documentation on troubleshooting neutron issues

ga_acad gravatar imagega_acad ( 2015-10-20 04:28:11 -0500 )edit

Hey tjiagoM , If you have still the single physical node openstack setup , you can try this script , You need to set up the ovs bridge correctly.

Mohit gravatar imageMohit ( 2016-02-01 19:29:36 -0500 )edit
0

answered 2016-02-01 03:17:04 -0500

Aidaho gravatar image

You forgot

ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
edit flag offensive delete link more
0

answered 2015-08-06 11:33:20 -0500

Tenma gravatar image

You may need assign the ip of eth* (external network) to br-ex

edit flag offensive delete link more
0

answered 2015-04-17 19:13:52 -0500

tjiagoM gravatar image

updated 2015-04-17 19:18:16 -0500

Hello, I have just tried the following: In a computer in the external network (192.168.102.227) and in my host server I executed the following command:

sudo tcpdump -i any -n -v \ 'icmp[icmptype] = icmp-echoreply or icmp[icmptype] =icmp-echo'

In .102.227 I see two main messages (with some tests now my instance IP ends with .1.6):

01:03:41.929464 IP (tos 0x0, ttl 63, id 23514, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.1.6 > 192.168.102.227: ICMP echo request, id 26881, seq 0, length 64

01:03:41.929484 IP (tos 0x0, ttl 64, id 52031, offset 0, flags [none], proto ICMP (1), length 84)
192.168.102.227 > 192.168.1.6: ICMP echo reply, id 26881, seq 0, length 64

However, in my host, I only see the path 192.168.1.6 > 192.168.102.227. So, actually, my instance CAN connect to external network!! But not the other way around.

I think that's because in .102.227 he tries to answer the ping with a packet to .1.6 but, of course, there is no route for that (as it is a private network) and not even the host receives that ping answer.

In the meantime I also configured a floating IP for my instance, but it seems not with that is working...

$ nova list
+--------------------------------------+----------------+--------+------------+-------------+---------------------------------------+
| ID                                   | Name           | Status | Task State | Power State | Networks                              |
+--------------------------------------+----------------+--------+------------+-------------+---------------------------------------+
| 4a960a1d-d3d5-4f73-86fc-827efa94230d | demo-instance1 | ACTIVE | -          | Running     | demo-net=192.168.1.6, 192.168.102.231 |

:

$ neutron floatingip-list
+--------------------------------------+------------------+---------------------+--------------------------------------+
| id                                   | fixed_ip_address | floating_ip_address | port_id                              |
+--------------------------------------+------------------+---------------------+--------------------------------------+
| 7038502d-7c6a-4976-aaf9-b48f23deb180 | 192.168.1.6      | 192.168.102.231     | d8719add-76f5-4efd-91fe-77ccfa99c127 |
+--------------------------------------+------------------+---------------------+--------------------------------------+

:

$ neutron router-port-list demo-router
+--------------------------------------+------+-------------------+----------------------------------------------------------------------------------------+
| id                                   | name | mac_address       | fixed_ips                                                                              |
+--------------------------------------+------+-------------------+----------------------------------------------------------------------------------------+
| 0aa518a3-3efb-4373-9bdf-2ef195b6d3e6 |      | fa:16:3e:fe:2e:f8 | {"subnet_id": "5272a1b6-7d77-4b3b-94dd-9ae5edfc3106", "ip_address": "192.168.102.230"} |
| d72ce566-06a5-4fcd-9421-c85d9f9a87ce |      | fa:16:3e:53:04:c5 | {"subnet_id": "7857decc-dc25-4372-8072-1d3e34a07724", "ip_address": "192.168.1.1"}     |
+--------------------------------------+------+-------------------+----------------------------------------------------------------------------------------+

So, my router is not making real NAT, right? Any idea how can I configure this? :(

edit flag offensive delete link more
0

answered 2015-04-15 22:34:07 -0500

dodi gravatar image

Did you check whether your external network has access to internet? On your ext-subnet you need to configure your DNS nameserver in order to resolve publicly available websites.

edit flag offensive delete link more

Comments

in addition make sure that the network that your virtual instance belongs to has a port to the router which has a connection to your ext-subnet. It seems you do not have the port connected to your router considering your vm instance did not have a default gw automatically created.

dodi gravatar imagedodi ( 2015-04-15 22:36:11 -0500 )edit

Yes, the computers in the external network have access to the internet. I don't only have a DNS problem: as I wrote, I cannot ping 8.8.8.8 or other IPs in the external network. So, resolve DNS will not solve this problem (and as I said, I didn't find a way to edit that in CirrOS)

tjiagoM gravatar imagetjiagoM ( 2015-04-17 16:53:21 -0500 )edit

@dodi, sorry but I don't know how to do that thing you said about the ports. Could you please tell me what are the commands I should use? I remember that in my instance I can ping the router with both external and internal IP.

tjiagoM gravatar imagetjiagoM ( 2015-04-17 16:55:12 -0500 )edit

One more thing. Now I do not have to manually add the route as I wrote in the question (it was another problem https://ask.openstack.org/en/question/65117/cirros-without-default-ipv4/ (here)). I will update the question removing that step.

tjiagoM gravatar imagetjiagoM ( 2015-04-17 17:03:16 -0500 )edit

@tjiagoM - If this is Openstack Juno, I am seeing you have added an ip address to your br-ex, its not the case anymore in Juno, try not to assign an external ip to your br-ex and restart the neutron services and openvswith that should do it. Let's hope :) and let me know the results.

dodi gravatar imagedodi ( 2015-04-18 12:27:29 -0500 )edit
0

answered 2016-10-18 18:13:33 -0500

aegiacometti gravatar image

If you are seen duplicated packets it is because you are a loop in the network, and if you are running openstack on VM, it is most likely that the loop is a software generated, not in you physical network. When you send a brodcast packet (arp/dhcp), the packet get restransmited over all ports, physical and virtual. In VMware i had to set the vswitch ports to use promiscous mode for the VM, with two uplink. The second uplink generate a loop just for broadcast packets. This generates update in the bridge/mac/portID table, wich you dont wont. Example: if you follow the broadcast packet (tcpdump -i at every involved interface, bridge and tap), you will see it first in the TAP/PortID=1, then at the Bridge going out, then it will enter again the same packet, so the bridge will assoiate the MAC to the PortID2, then you will see the actual reply wich will be redirected to PortID2, and your VM was on PortID1.

On the next brodcast it will repeat, so your VM MAC will be jumping from portID1 to 2. As the packets flow, but it will never gets to the VM, because at that moment, the MAC will be associated to the wrong port.

Check the vswitch, it has to has only one external port.

Another way to check, is by ussing the command brctl showmac (ml2)

hope it helps

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

3 followers

Stats

Asked: 2015-04-15 05:04:03 -0500

Seen: 6,858 times

Last updated: Feb 01 '16