Ask Your Question
1

Traffic Not Reaching TAP Interface

asked 2015-06-23 09:06:56 -0600

bradnold gravatar image

updated 2015-06-23 12:03:19 -0600

My instances are able to communicate to the network external to openstack.

However, I am unable to communicate to my instances via their floating IP.

Upon running tcpdump on multiple points in the connection path I see that the ICMP echo request gets through all portions of the connection up until the TAP connected to my instance. Once I run a tcpdump on the TAP interface, I am no longer able to see the traffic.

Any ideas what could be preventing traffic from getting from the bridge to the tap interface?

What should I be checking? The default firewall rules seem to allow ICMP traffic from any device to any other device.

As per request:

sudo ovs-vsctl show
cb3540c7-517a-4c60-a1d4-ec7925fa7435
    Bridge br-int
        fail_mode: secure
        Port "tap7d5663b9-9b"
            tag: 1
            Interface "tap7d5663b9-9b"
                type: internal
        Port patch-tun
            Interface patch-tun
                type: patch
                options: {peer=patch-int}
        Port br-int
            Interface br-int
                type: internal
        Port "qg-2f1806e4-ca"
            tag: 2
            Interface "qg-2f1806e4-ca"
                type: internal
        Port int-br-ex
            Interface int-br-ex
                type: patch
                options: {peer=phy-br-ex}
        Port "qr-ad4ec613-f1"
            tag: 1
            Interface "qr-ad4ec613-f1"
                type: internal
    Bridge br-ex
        Port phy-br-ex
            Interface phy-br-ex
                type: patch
                options: {peer=int-br-ex}
        Port "em1"
            Interface "em1"
        Port br-ex
            Interface br-ex
                type: internal
    Bridge br-tun
        fail_mode: secure
        Port br-tun
            Interface br-tun
                type: internal
        Port patch-int
            Interface patch-int
                type: patch
                options: {peer=patch-tun}
        Port "gre-ac100002"
            Interface "gre-ac100002"
                type: gre
                options: {df_default="true", in_key=flow, local_ip="172.16.0.1", out_key=flow, remote_ip="172.16.0.2"}
    ovs_version: "2.3.1"

and ifconfig

ifconfig -a
br-ex     Link encap:Ethernet  HWaddr b0:83:fe:d7:54:e1
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:72178 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4330812 (4.3 MB)  TX bytes:0 (0.0 B)

br-int    Link encap:Ethernet  HWaddr 9a:83:15:33:90:47
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:72258 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4337354 (4.3 MB)  TX bytes:0 (0.0 B)

br-tun    Link encap:Ethernet  HWaddr d2:40:d2:f4:52:40
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

em1       Link encap:Ethernet  HWaddr b0:83:fe:d7:54:e1
          inet6 addr: fe80::b283:feff:fed7:54e1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:75086 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5321 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4880981 (4.8 MB)  TX bytes:246790 (246.7 KB)
          Interrupt:40 Memory:95000000-957fffff

em2       Link encap:Ethernet  HWaddr b0:83:fe:d7:54:e3
          inet6 addr: fe80::b283:feff:fed7:54e3/64 Scope:Link
          UP ...
(more)
edit retag flag offensive close merge delete

Comments

You state that on both ends of veth-pair (qvo-xxxxx,qvb-xxxxxx) tcpdump is OK . Am I correct ?
Please, post ovs-vsctl show && ifconfig on Network Node as UPDATE to question.

dbaxps gravatar imagedbaxps ( 2015-06-23 10:17:52 -0600 )edit

2 answers

Sort by ยป oldest newest most voted
1

answered 2015-06-23 10:55:54 -0600

mpetason gravatar image

Delete all of the default rules. Add three new rule sets : All ICMP/ALL TCP/ALL UDP. Allow it from 0.0.0.0. Afterwards test again. If you are still running into issues please look into what DBaxps posted.

edit flag offensive delete link more

Comments

Hey mpetason, why would the default rules now allow this traffic? I see the default is supposed to allow "Any" traffic on IP Protocol using "Any" port for IPv4 and IPv6 ingress and egress.

bradnold gravatar imagebradnold ( 2015-06-23 12:11:12 -0600 )edit
1

http://docs.openstack.org/openstack-o...

All projects have a "default" security group, which is applied to instances that have no other security group defined. Unless changed, this security group denies all incoming traffic.
mpetason gravatar imagempetason ( 2015-06-23 12:23:55 -0600 )edit

That's very strange because I would assume from the UI that this default security group actually allows everything. Is this a known bug or confusing aspect that should be fixed or am I just reading/understanding output incorrectly? http://i.imgur.com/FQTlV8e.png

bradnold gravatar imagebradnold ( 2015-06-23 12:31:46 -0600 )edit
2

they only allow everything from other VMs (ports to be precise) that are also in security group named "default" - that is what the "Remote Security Group" column means. Yep, it's confusing. Anyway you will need to add a rule to allow icmp from some CIDR.

darragh-oreilly gravatar imagedarragh-oreilly ( 2015-06-23 12:56:30 -0600 )edit

This solution worked. I had to add a bunch of new security rules under my specific project to allow TCP/UDP and ICMP. Here's a screenshot of the result http://i.imgur.com/WM6cFeX.png. Are these essentially just defining NAT rules to pass traffic in from floating to private IP?

bradnold gravatar imagebradnold ( 2015-06-23 13:39:31 -0600 )edit
0

answered 2015-06-23 12:44:53 -0600

dbaxps gravatar image

updated 2015-06-23 12:51:38 -0600

Per your report :-

ifconfig -a
br-ex     Link encap:Ethernet  HWaddr b0:83:fe:d7:54:e1
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:72178 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4330812 (4.3 MB)  TX bytes:0 (0.0 B)
. . . . . 

em1       Link encap:Ethernet  HWaddr b0:83:fe:d7:54:e1
          inet6 addr: fe80::b283:feff:fed7:54e1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:75086 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5321 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4880981 (4.8 MB)  TX bytes:246790 (246.7 KB)
          Interrupt:40 Memory:95000000-957fffff

At the same time

Bridge br-ex
    Port phy-br-ex
        Interface phy-br-ex
            type: patch
            options: {peer=int-br-ex}
    Port "em1"
        Interface "em1"

You have OVS bridge br-ex and OVS port em1 misconfiguration
View for RH samples /etc/sysconfig/network-scripts/ifcfg-br-ex && ifcfg-em1 samples, for instance, here
http://bderzhavets.blogspot.com/2015/...
For Ubuntu as base OS samples of network configuration files here
https://ask.openstack.org/en/question...

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-06-23 09:06:56 -0600

Seen: 1,574 times

Last updated: Jun 23 '15