Ask Your Question
0

L3 Neutron Router Issue

asked 2015-09-10 16:27:54 -0500

felix001 gravatar image

updated 2015-09-11 15:33:55 -0500

Im running icehouse devstack and trying to connect to an instance. Theres an external/internal network L3 router on the external network A floating IP is assigned to the instance.

Ingress - However if I SSH in i do not connect to the instance, even though ive set up a ssh key its asks for a username and password. For kicks if I use the creds for the host devstack is running on it connects to the host.

Egress - If I ping out from the instance I can hit the L3 router but do not get a ping response from 8.8.8.8. if I do a tcpdump I can see the icmp traffic leaving the host but not snat`d.

Heres the output,

root@openstack-lab:~# neutron floatingip-show d7a902fd-f914-42d4-814a-11e2f5a52bfd
+---------------------+--------------------------------------+
| Field               | Value                                |
+---------------------+--------------------------------------+
| fixed_ip_address    | 172.16.1.2                           |
| floating_ip_address | 162.13.14.41                        |
| floating_network_id | 71d986c9-32a2-4779-bb03-94ed2fc0f1de |
| id                  | d7a902fd-f914-42d4-814a-11e2f5a52bfd |
| port_id             | d5145b06-4672-41b6-b48f-2d199edc9cdc |
| router_id           | 5f5f5abd-f2fa-4424-9819-ebd86db770b7 |
| status              | ACTIVE                               |
| tenant_id           | b2162649b18840efb18314255e958990     |
+---------------------+--------------------------------------+

root@openstack-lab:~# nova list
+--------------------------------------+----------+--------+------------+-------------+-----------------------------------+
| ID                                   | Name     | Status | Task State | Power State | Networks                          |
+--------------------------------------+----------+--------+------------+-------------+-----------------------------------+
| d307519e-f95c-4956-b471-24f3bd7ea6f8 | server-1 | ACTIVE | -          | Running     | private=172.16.1.2, 162.13.14.41 |
+--------------------------------------+----------+--------+------------+-------------+-----------------------------------+

root@openstack-lab:~# neutron port-show d5145b06-4672-41b6-b48f-2d199edc9cdc
+-----------------------+-----------------------------------------------------------------------------------+
| Field                 | Value                                                                             |
+-----------------------+-----------------------------------------------------------------------------------+
| admin_state_up        | True                                                                              |
| allowed_address_pairs |                                                                                   |
| binding:host_id       | openstack-lab                                                                     |
| binding:profile       | {}                                                                                |
| binding:vif_details   | {"port_filter": true, "ovs_hybrid_plug": true}                                    |
| binding:vif_type      | ovs                                                                               |
| binding:vnic_type     | normal                                                                            |
| device_id             | d307519e-f95c-4956-b471-24f3bd7ea6f8                                              |
| device_owner          | compute:nova                                                                      |
| extra_dhcp_opts       |                                                                                   |
| fixed_ips             | {"subnet_id": "d67908c1-9573-4494-97eb-cf214fcb6d82", "ip_address": "172.16.1.2"} |
| id                    | d5145b06-4672-41b6-b48f-2d199edc9cdc                                              |
| mac_address           | fa:16:3e:ef:99:e3                                                                 |
| name                  |                                                                                   |
| network_id            | 59037cf2-25fa-4eec-8d67-a737d850aa9b                                              |
| security_groups       | e5caad09-1d97-47f2-9886-8c2f53e5c2be                                              |
| status                | ACTIVE                                                                            |
| tenant_id             | b2162649b18840efb18314255e958990                                                  |
+-----------------------+-----------------------------------------------------------------------------------+

Everything looks ok. But not really sure why this is failing. The odd thing is I see the router port for the internal network as DOWN. Though i cant find this via the neutron command.

EDIT :

root@openstack-lab:~# ip netns exec qrouter-5f5f5abd-f2fa-4424-9819-ebd86db770b7 iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N neutron-postrouting-bottom
-N neutron-vpn-agen-OUTPUT
-N neutron-vpn-agen-POSTROUTING
-N neutron-vpn-agen-PREROUTING
-N neutron-vpn-agen-float-snat
-N neutron-vpn-agen-snat
-A PREROUTING -j neutron-vpn-agen-PREROUTING
-A OUTPUT -j neutron-vpn-agen-OUTPUT
-A POSTROUTING -j neutron-vpn-agen-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A neutron-postrouting-bottom -j neutron-vpn-agen-snat
-A neutron-vpn-agen-OUTPUT -d 162.13.1[Screen Shot 2015-09-11 at 20.57.52.png](/upfiles/14420017675170635.png)4.41/32 -j DNAT --to-destination 172.16.1.2
-A neutron-vpn-agen-POSTROUTING ! -i qg-db90f9db-b8 ! -o qg-db90f9db-b8 -m conntrack ! --ctstate DNAT -j ACCEPT
-A neutron-vpn-agen-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
-A neutron-vpn-agen-PREROUTING -d 162.13.14.41/32 -j DNAT --to-destination 172.16.1.2
-A neutron-vpn-agen-float-snat -s 172.16.1.2/32 -j SNAT --to-source 162.13.14.41
-A neutron-vpn-agen-snat -j neutron-vpn-agen-float-snat
-A neutron-vpn-agen-snat -s 172.16.1.0/24 -j SNAT --to-source 162.13.14.40

image description

EDIT 2 :

From looking at the port I can see it is unbound.

+-----------------------+--------------------------------------------------------------------------------------+
| Field                 | Value                                                                                |
+-----------------------+--------------------------------------------------------------------------------------+
| admin_state_up        | True                                                                                 |
| allowed_address_pairs |                                                                                      |
| binding:host_id       |                                                                                      |
| binding:profile       | {}                                                                                   |
| binding:vif_details   | {}                                                                                   |
| binding:vif_type      | unbound                                                                              |
| binding:vnic_type     | normal                                                                               |
| device_id             | d7a902fd-f914-42d4-814a-11e2f5a52bfd                                                 |
| device_owner          | network:floatingip                                                                   |
| extra_dhcp_opts       |                                                                                      |
| fixed_ips             | {"subnet_id": "6e8c36e4-030e-4142-9429-40097efcc3aa", "ip_address": "162.13.154.41"} |
| id                    | e2a703da-530b-41b4-8655-24b92766741f                                                 |
| mac_address           | fa:16:3e:84:ac:08                                                                    |
| name                  |                                                                                      |
| network_id            | 71d986c9-32a2-4779-bb03-94ed2fc0f1de                                                 |
| security_groups       |                                                                                      |
| status                | DOWN                                                                                 |
| tenant_id             |                                                                                      |
+-----------------------+--------------------------------------------------------------------------------------+

Thanks

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
0

answered 2015-09-11 08:16:30 -0500

dbaxps gravatar image

You wrote "The odd thing is I see the router port for the internal network as DOWN."
Yes, it is. Your neutron router doesn't forward packets from tenant's network to external.
I would try recreate sub-net && router. Either try stable kilo or juno branches, they worked fine for me. See http://bderzhavets.blogspot.com/2015/...
(just skip all nova-docker related content)
and https://ask.openstack.org/en/question...

edit flag offensive delete link more
0

answered 2015-09-11 04:47:53 -0500

ritesh.singh.aricent@gmail.com gravatar image

Please Ans some queries to make the scenario clear -

  1. you have mentioned you cannot connect via ssh , and it ask for password. So is it not connected to network or autentication as issue.
  2. can you ping your router from ext networ or vice versa
  3. please share the network diagram ( on horizon screen)
  4. please share ip netns exec qrouter-your-router-name iptables -t nat -S
edit flag offensive delete link more

Comments

  1. can you confirm the question
  2. can ping the router. not sure when you say vicaversa
  3. added to original question
  4. added to original question
felix001 gravatar imagefelix001 ( 2015-09-11 14:58:58 -0500 )edit

Thanks.... by vice versa I mean , can you ping from router to 8.8.8.8 from your router ( wanted to be sure,that its not a networking problem) 2. Another issue might when the netmask of the public subnet and gateway were mismatched. Make sure the IP subnetting is done right.

ritesh.singh.aricent@gmail.com gravatar imageritesh.singh.aricent@gmail.com ( 2015-09-14 04:13:17 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-09-10 16:27:54 -0500

Seen: 190 times

Last updated: Sep 11 '15