Ask Your Question
0

HTTPS not working to Instance using FloatingIP

asked 2015-07-02 12:32:27 -0500

JD Hallen gravatar image

updated 2015-07-09 09:31:35 -0500

SGPJ gravatar image

I actually have two networking problems, but the more pressing one first: From an outside node, or the Controller node for that matter, I cannot access any HTTPS ports on my instances.

Configuration: 3-node (Controller, Network, Compute) Ubuntu Juno OpenStack. This was installed using the default, manual install with Neutron networking as documented on the docs.openstack.org website. No errors in logs, Cirros instance launches with full SSH access. CentOS7 instance launches with SSH working until I try a "large" output (ls -al of a big directory hangs about 20 lines in [IE> the second network problem]). F5 Networks BIG-IP VE instance launches with SSH working until I try a "large" output. Both the CentOS7 and the BIGIP keep running, and I have full console access at all times. No errors reported in either instance log files. All nodes get all their DHCP assigned IPs. 'Default' security group setup like so:

    # nova secgroup-list-rules default
    +-------------+-----------+---------+-----------+--------------+
    | IP Protocol | From Port | To Port | IP Range  | Source Group |
    +-------------+-----------+---------+-----------+--------------+
    |             |           |         |           | default      | 
    | tcp         | 22        | 22      | 0.0.0.0/0 |              |
    | tcp         | 443       | 443     | 0.0.0.0/0 |              |
    |             |           |         |           | default      | 
    | icmp        | -1        | -1      | 0.0.0.0/0 |              |
    | tcp         | 80        | 80      | 0.0.0.0/0 |              |
    +-------------+-----------+---------+-----------+--------------+

When I do an tcpdump from the BIGIP node, I can see the HTTPS packets coming in, and a response going out. If I create a mirror port on the 'br-int' bridge on the compute node, I just see the responses going out to my client, but no requests coming in?!? That doesn't seem right!

11:25:38.966302 IP6 fe80::bc29:bff:fe04:e7d5 > ip6-allrouters: ICMP6, router solicitation, length 16<br>
11:25:39.231659 IP 10.10.10.10.ssh > 10.147.95.128.57127: Flags [P.], seq 2501911056:2501911092, ack 4236512516, win 241, options [nop,nop,TS val 81901769 ecr 275729760], length 36<br>
11:25:42.974288 IP6 fe80::bc29:bff:fe04:e7d5 > ip6-allrouters: ICMP6, router solicitation, length 16<br>
11:25:49.236382 IP 10.10.10.10.ssh > 10.147.95.128.57127: Flags [P.], seq 36:72, ack 53, win 241, options [nop,nop,TS val 81911774 ecr 275739723], length 36<br>
11:25:51.810641 IP 10.10.10.8.https > 10.147.95.128.63978: Flags [S.], seq 1016497018, ack 1398343447, win 14480, options [mss 1460,sackOK,TS val 242030834 ecr 275742177,nop,wscale 7], length 0<br>
11:25:51.813968 IP 10.10.10.8.https > 10.147.95.128.63978: Flags [.], ack 211, win 122, options [nop,nop,TS val 242030838 ecr 275742190], length 0<br>
11:25:51.832698 IP 10.10.10.8.https > 10.147.95.128.63978: Flags [.], seq 1:1449, ack 211, win 122, options [nop,nop,TS val 242030857 ecr 275742190], length 1448<br>
11:25:51.832743 IP 10.10.10.8.https > 10.147.95.128.63978: Flags [P.], seq 1449:1654, ack 211, win 122, options [nop,nop,TS val 242030857 ecr 275742190], length 205<br>
11:25:52 ...
(more)
edit retag flag offensive close merge delete

1 answer

Sort by » oldest newest most voted
2

answered 2015-07-14 16:21:02 -0500

JD Hallen gravatar image

Found the fix myself: MTU was set too high and causing packets to be dropped. The node was trying to exchange SSL keys, but since it was 50-bytes over the MTU limit, the packets were getting dropped on the other end of the GRE tunnel. Once I set the MTU for the network interface down to 1450 on the instances, everything worked correctly!

Cheers, JD

edit flag offensive delete link more

Comments

Thanks for posting

SGPJ gravatar imageSGPJ ( 2015-07-14 23:02:20 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-07-02 12:32:27 -0500

Seen: 78 times

Last updated: Jul 14 '15