Neutron IPTables dropping TCP ACK packets bettween instances on same host.

asked 2015-11-04 01:08:29 -0600

Cobalt60 gravatar image

TCP Handshakes do not complete between 2 VM in differant vlans/networks, that on the same libvirt host. If the VMs are on separate hosts the TCP connection establishes correctly. The application is irrelevant and the issues occurs for all TCP connections. After running tcpdump on the internal interfaces the following is occurring;


ClientVM = VM that acts as a TCP Client and attempts to open a TCP socket.

ServerVM = VM that acts as a TCP Server and receives a TCP connection from ClientVM .

  1. ClientVM sends SYN packet to ServerVM , ServerVM received packet.
  2. ServerVM sends SYN_ACK packet to ClientVM, ClientVM received packet.
  3. ClientVM sends ACK packet to ServerVM , packet is dropped and is never received by ServerVM .

The packet appears to be dropped by the iptable rules on the ClientVM's linux bridge. Tcpdump on the ClientVM libvirt tap interface shows the ACK packet passing from the VM to the Linux bridge, but a tcpdump on the qvb interface on the other side of the bridge never shows the packet.

The Security Group rules allow all TCP packets though in both directions. Hence, the original SYN and SYN_ACK packets pass though.

What would cause the bridge/iptables to drop the ACK packet?

edit retag flag offensive close merge delete