GRE inside Openstack Instances

asked 2015-08-27 09:58:22 -0500

Mario Sommer gravatar image

I try to clone my working physical Openstack system (Controller, Compute, Network Node) inside the Openstack enviroment itself (with qemu instead of kvm). Everything works fine, except for the network part.

I use the same network setup and neutron configuration as in the physical enviroment (IPs/neutron/OVS/GRE). ovs-vsctl show looks good, all bridges,ports and the gre interface with the correct local an remote_ip are present. Both nodes can ping one another on the eth device that is used for the GRE tunnel. tcpdump shows outgoing GRE packages on the virtual compute node, but no GRE packages ever reach the eth device on virtual network node. To me it looks like the pyhsical system is "eating" the GRE packages. Can someone confirm that it is at all possible to have GRE tunnels between Openstack instances?

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2015-08-31 06:29:07 -0500

Mario Sommer gravatar image

updated 2015-08-31 06:30:54 -0500

I traced it back to this rule on the physical compute node (c40340f6-1 is the virtual compute node's interface)

Chain neutron-openvswi-oc40340f6-1 (2 references)
pkts bytes target     prot opt in     out     source             destination         
8468  597K DROP       all  --  *      *             state INVALID

Seems like GRE inside GRE is considered invalid?!

edit flag offensive delete link more


Got it!

modprobe nf_conntrack_proto_gre fixed it. Now the traffic isn't marked as invalid any more.

Mario Sommer gravatar imageMario Sommer ( 2015-08-31 06:42:40 -0500 )edit

Man, spent a lot of time trying to figure this out. This worked in my setup, along with adding the rule in the secruity groups as shown below in the comment. Thanks!

dalexander gravatar imagedalexander ( 2015-10-19 17:46:20 -0500 )edit

(Running on KILO release FWIW)

dalexander gravatar imagedalexander ( 2015-10-19 17:46:38 -0500 )edit

answered 2015-08-28 10:53:36 -0500

darragh-oreilly gravatar image

updated 2015-08-28 10:54:06 -0500

Don't know if what you are trying to do is possible, but you will need to open GRE (IP protocol 47) in the security groups, and watch the MTUs.

I tried this:

neutron security-group-rule-create \
--direction ingress \
--ethertype IPv4 \
--protocol 47 \
--port-range-min 1 --port-range-max 255 \

and got this for in iptables-save on the compute:

-A neutron-openvswi-i889a402e-a -p gre -j RETURN
edit flag offensive delete link more


The iptables rules is there, but it is never triggered

0 0 RETURN 47 -- * *

Mario Sommer gravatar imageMario Sommer ( 2015-08-31 06:33:21 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2015-08-27 09:58:22 -0500

Seen: 900 times

Last updated: Aug 31 '15