Ask Your Question
0

In havana-3, cannot ssh or ping to floating ips

asked 2013-12-08 23:28:45 -0500

etlars gravatar image

updated 2013-12-10 19:42:07 -0500

In my test env, I cannot ping or ssh to floating IPs.

My problem is :

  • I can ssh to VMs thru ip netns exec qrouter-xxx ssh cirros@fixed-ip or can connect thru VNC and also can ping to 8.8.8.8(or any site outside of my env) from VMs.

  • However In a VM, I cannot ping to VM's floating IPs assigned to VM itself or any other floating IPs

  • and from the server(eg. from controller node),

  • I cannot ping or ssh to floating IPs which assigned to VMs.

my env

  • host machine : mac
  • servers: ubuntu server 12.04 vms on vmware fusion
  • configuration: controller node1, compute node2, network node1
  • package: havana-3 (2013.2)

please, check my settings and test result as following my google drive url:

http://paste.openstack.org/show/54754/

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
1

answered 2013-12-12 11:20:35 -0500

kashyapc gravatar image

updated 2013-12-12 11:27:49 -0500

I just took a look at your paste, you haven't specified iptables rules. Ensure you have the GRE INPUT/OUTPUT rules too (refer below).

In my two node setup, I have these iptables rules, and I could reach Floating IPs from inside the Nova instances just fine.

[1] iptables on Controller node:

[root@ostack-controller ~]# cat /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m multiport --dports 3260 -m comment --comment "001 cinder incoming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 horizon incoming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment "001 keystone incoming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 3306 -m comment --comment "001 mariadb incoming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001 novncproxy incoming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 8770:8780 -m comment --comment "001 novaapi incoming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron incoming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 5672 -m comment --comment "001 qpid incoming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001 metadata incoming" -j ACCEPT 
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5999 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p gre -j ACCEPT 
-A OUTPUT -p gre -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

[2] iptables rules on Compute node:

[root@ostack-compute ~(keystone_kashyap)]$ cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5999 -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p gre -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p gre -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Here are my working Neutron configurations with OVS and GRE, two node setup: http://kashyapc.fedorapeople.org/virt/openstack/neutron-configs-GRE-OVS-two-node.txt

And, alternatively, you can do some tcpdump analysis on your various network devices. Here's a recent trace of some analysis I've done -- https://gist.github.com/kashyapc/7926517

Some commands to try for ICMP here (once you invoke an ICMP request from inside the Nova instance):

  $ tcpdump -i br-ex -n icmp
  $ tcpdump -i eth0 -n icmp
  $ tcpdump -i any  -n ...
(more)
edit flag offensive delete link more

Comments

Thanks for your kind answers. I added my result as another answer form due to the limitation of the number of characters here. Thanks again!

etlars gravatar imageetlars ( 2013-12-12 20:14:19 -0500 )edit
0

answered 2013-12-12 20:07:35 -0500

etlars gravatar image

Thanks for your kind answers.

Most of all, yes, my network node and compute nodes have no gre rules on iptables. But, when following your descriptions, there was no "control_exchange=neutron" in neutron.conf of my configuration.
and now I can connect VM floating-IP directly from external node ! Thanks!

I still cannot find any gre-related rules on network and compute node :|

Following link shows the successful gre tcpdump and ssh connection using floating-ip

http://paste.openstack.org/show/54928/

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2013-12-08 23:28:45 -0500

Seen: 932 times

Last updated: Dec 12 '13