VM without floating ip, connection problem in some cases

asked 2015-12-21 12:40:15 -0600

mariusleu gravatar image

updated 2015-12-21 12:43:03 -0600


I am running a setup with Neutron DVR, having 1 controller node (with l3 agent in dvr_snat mode) and other compute nodes with l3 agent in dvr mode.

The external traffic (SNAT) made by VMs without a floating IP is routed through the controller node (dvr_snat router).
The external traffic (DNAT/SNAT) made by VMs with a floating IP is routed through the compute node (dvr router).

So let's say I create a VM with a private only IP.
- wget https://my.atlassian.com - doesn't work; the request stays on hold
- wget https://whoer.net - works, but I can see a delay
- apt-get update also doesn't work for all the repositories

After I associate a floating IP all the external requests works smoothly.

Before associating the floating IP, I went to the SNAT namespace in the controller node and tried these wget commands. All worked smoothly, so my IP is not banned. There might be a connection problem between the compute nodes and the controller node.

Can you help me with some instructions how to debug this?


edit retag flag offensive close merge delete


Does your private net has DNS server or can you ping via SNAT ?

dbaxps gravatar imagedbaxps ( 2015-12-21 15:56:37 -0600 )edit

I can ping anything. The problem comes when I try to do TCP traffic through different ports such as 443 or 80.

mariusleu gravatar imagemariusleu ( 2015-12-21 16:10:26 -0600 )edit

I have in VM /etc/resolv.conf and I can ping I have google .com in the dns cache and I can ping google .com, but if I try to ping google .de for example, it doesn't work because my machine can't access on port 53 do query the dns server.

mariusleu gravatar imagemariusleu ( 2015-12-21 16:14:44 -0600 )edit

The VM is able to open the socket on port 53 and send packets, but the returning packets are not coming, i think.

mariusleu gravatar imagemariusleu ( 2015-12-21 16:18:47 -0600 )edit

1 answer

Sort by ยป oldest newest most voted

answered 2015-12-21 16:22:05 -0600

capsali gravatar image

This might be unrelated, but if you are using dvr i assume tenant network is using vxlan. Try lowering the mtu on the guest OS to something like 1454 to account for the vxlan header.

edit flag offensive delete link more


It's already 1454 on the guest OS. However, the Host OS (controller node running snat router) has MTU 1500 on the router gateway nic.

mariusleu gravatar imagemariusleu ( 2015-12-21 16:25:23 -0600 )edit

MTU for external eth should have standard size, i.e 1500 (no vxlan or gre header on it) and should be set in promiscuous mode. Try setting MTU to 1500 in guest OS to rule out packet fragmentation (although this is mostly not the problem).

capsali gravatar imagecapsali ( 2015-12-21 19:12:17 -0600 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2015-12-21 12:40:15 -0600

Seen: 519 times

Last updated: Dec 21 '15