Ask Your Question
2

can't ping or ssh instance floating IP

asked 2015-10-18 12:01:49 -0500

michaelp gravatar image

updated 2015-10-19 07:12:28 -0500

I installed Kilo Openstack/devstack with everything on a single node on ubuntu 14.04. I created an instance, I can see it get an address assigned and give a floating IP4/IP6 public=172.24.4.5, 2001:db8::6 and internal IP4/IP6 private=fd6d:9a49:de06:0:f816:3eff:feb5:14609, 10.0.0.4

I added it to the default security group and edited the security group enabling icmp and ssh (port 22) ingress rules. Now can ping and ssh the instance internal IP 10.0.0.4.

However, I cannot ping or SSH the instance floating IP 172.24.4.5 from the compute node or any other machine on the network.
I can ping public network default gateway IP 172.24.4.1 and router external IP 172.24.4.2. However, ping to instance floating IP 172.24.4.5 does not work.

Here is the output of commands on the compute node

$ neutron router-list 
$ ip netns | grep router_id (
$ ip netns exec qrouter-router_id iptables -S -t nat 
$ ip netns exec qrouter-router_id ip a 
$ ip netns exec qrouter-router_id ifconfig 

neutron router-list 
ea089823-0b25-42c8-ac30-d56ffa1ff2ac | router1 | {"network_id": "2863985b-f319-435e-8d0b-8f6647008711", "enable_snat": true, "external_fixed_ips": [{"subnet_id": "a2bd8b63-7be5-43b5-9534-bd5e04a59734", "ip_address": "172.24.4.2"}, {"subnet_id": "c26dd6ba-6573-4c06-936e-00fe5c1d67bb", "ip_address": "2001:db8::3"}]} | False       | False |

ip netns | grep ea089823-0b25-42c8-ac30-d56ffa1ff2ac
qrouter-ea089823-0b25-42c8-ac30-d56ffa1ff2ac

  sudo ip netns exec qrouter-ea089823-0b25-42c8-ac30-d56ffa1ff2ac iptables -S -t nat

-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N neutron-l3-agent-OUTPUT
-N neutron-l3-agent-POSTROUTING
-N neutron-l3-agent-PREROUTING
-N neutron-l3-agent-float-snat
-N neutron-l3-agent-snat
-N neutron-postrouting-bottom
-A PREROUTING -j neutron-l3-agent-PREROUTING
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A POSTROUTING -j neutron-l3-agent-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A neutron-l3-agent-POSTROUTING ! -i qg-43b82233-b7 ! -o qg-43b82233-b7 -m conntrack ! --ctstate DNAT -j ACCEPT
-A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -i qr-+ -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
-A neutron-l3-agent-snat -o qg-43b82233-b7 -j SNAT --to-source 172.24.4.2
-A neutron-l3-agent-snat -m mark ! --mark 0x2/0xffff -m conntrack --ctstate DNAT -j SNAT --to-source 172.24.4.2
-A neutron-postrouting-bottom -m comment --comment "Perform source NAT on outgoing traffic." -j neutron-l3-agent-snat

 sudo ip netns exec qrouter-ea089823-0b25-42c8-ac30-d56ffa1ff2ac ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
9: qr-db44c430-bc: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
    link/ether fa:16:3e:90:1b:f8 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.1/24 brd 10.0.0.255 scope global qr-db44c430-bc
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fe90:1bf8/64 scope link
       valid_lft forever preferred_lft forever
10: qg-43b82233-b7: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
    link/ether fa:16:3e:3e:bb:08 brd ff:ff:ff:ff:ff:ff
    inet 172.24.4.2/24 brd 172.24.4.255 scope global qg-43b82233-b7
       valid_lft ...
(more)
edit retag flag offensive close merge delete

Comments

Could you confirm that sudo ip netns exec qrouter-ea089823-0b25-42c8-ac30-d56ffa1ff2ac ping 10.0.0.4 does work and sudo ip netns exec qrouter-ea089823-0b25-42c8-ac30-d56ffa1ff2ac ping 172.24.4.5 does not?

Antonio G. gravatar imageAntonio G. ( 2015-10-19 07:17:12 -0500 )edit

1 answer

Sort by ยป oldest newest most voted
1

answered 2015-10-19 10:32:05 -0500

michaelp gravatar image

Yes. this is correct. From the compute node I can ping/ssh internal IP 10.0.0.4 of the instance (instance IP assigned on the private network)

sudo ip netns exec qrouter-ea089823-0b25-42c8-ac30-d56ffa1ff2ac ping 10.0.0.4 PING 10.0.0.4 (10.0.0.4) 56(84) bytes of data. 64 bytes from 10.0.0.4: icmp_seq=1 ttl=64 time=0.769 ms 64 bytes from 10.0.0.4: icmp_seq=2 ttl=64 time=0.335 ms 64 bytes from 10.0.0.4: icmp_seq=3 ttl=64 time=0.601 ms 64 bytes from 10.0.0.4: icmp_seq=4 ttl=64 time=0.221 ms

However, I cannot ping/ssh floating IPs of the public network

sudo ip netns exec qrouter-ea089823-0b25-42c8-ac30-d56ffa1ff2ac ping 172.24.4.5 PING 172.24.4.5 (172.24.4.5) 56(84) bytes of data. From 172.24.4.2 icmp_seq=1 Destination Host Unreachable From 172.24.4.2 icmp_seq=2 Destination Host Unreachable From 172.24.4.2 icmp_seq=3 Destination Host Unreachable

AT the same time I can ping router IP 172.24.4.2 itself sudo ip netns exec qrouter-ea089823-0b25-42c8-ac30-d56ffa1ff2ac ping 172.24.4.2 PING 172.24.4.2 (172.24.4.2) 56(84) bytes of data. 64 bytes from 172.24.4.2: icmp_seq=1 ttl=64 time=0.121 ms 64 bytes from 172.24.4.2: icmp_seq=2 ttl=64 time=0.069 ms 64 bytes from 172.24.4.2: icmp_seq=3 ttl=64 time=0.059 ms

and I can ping gateway IP of the public network sudo ip netns exec qrouter-ea089823-0b25-42c8-ac30-d56ffa1ff2ac ping 172.24.4.1 PING 172.24.4.1 (172.24.4.1) 56(84) bytes of data. 64 bytes from 172.24.4.1: icmp_seq=1 ttl=64 time=3.46 ms 64 bytes from 172.24.4.1: icmp_seq=2 ttl=64 time=0.091 ms

All router interfaces show status ACTIVE

and both public and private network show status ACTIVE.

Some mysterious problem...

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

Stats

Asked: 2015-10-18 12:01:49 -0500

Seen: 5,019 times

Last updated: Oct 19 '15