Ask Your Question
0

DVR - pinging the floating ip and receiving response from the private

asked 2016-03-14 09:26:08 -0500

mariusleu gravatar image

Hello,

I have a liberty with dvr deployment.

I have two machines connected in the same VXLAN network.

VM1 is 10.0.0.2 and VM2 10.0.0.3.

VM1 has a floating ip assigned (let's say 2.2.2.2).

The problem is: if VM2 has no floating ip assigned (so traffic goes through SNAT namespace), I cannot access 2.2.2.2 (but any other requests i.e curl google.com works). If VM2 has floating IP assigned, I can access 2.2.2.2

Scenarios:

  • From VM2 without floating ip, if I ping 2.2.2.2, I receive response from 10.0.0.2 (VM1 IP).
  • From VM2 with floating ip, if I ping 2.2.2.2, I receive response from 2.2.2.2 (VM1 floating IP).
  • From VM2 without floating ip, if I curl 2.2.2.2, it freezes saying (connecting).
  • From VM2 without floating ip, if I curl 10.0.0.2, it works.
  • If I assign a floating IP to VM2, curl 2.2.2.2 works.
  • Also, in VM2, any other curl (i.e google.com) works, so I have internet access from VM2, but only when I try to do tcp traffic to other floating IP it doesn't work.

The MTU of my machines is 1450.

edit retag flag offensive close merge delete

Comments

are vm1, vm2 and the snat on different nodes?

darragh-oreilly gravatar imagedarragh-oreilly ( 2016-03-14 13:35:16 -0500 )edit

its a single node deployment. l3 agent is in dvr_snat mode

mariusleu gravatar imagemariusleu ( 2016-03-14 17:05:24 -0500 )edit

2 answers

Sort by ยป oldest newest most voted
0

answered 2016-03-14 11:44:52 -0500

dbaxps gravatar image

updated 2016-03-15 15:45:19 -0500

The problem is: if VM2 has no floating ip assigned (so traffic goes through SNAT namespace), I cannot access 2.2.2.2 (but any other requests i.e curl google.com works). If VM2 has floating IP assigned, I can access 2.2.2.2

UPDATE 03/15/2016 22:58 MSK
In case when VM1 is on private net attached to legacy (DNAT/SNAT) neutron router following rules will be applied to route TCP/IP packets. Connection initiated from the outside VM2 (IP 192.169.142.152) will handled by rule (3)

   [root@CentOSRV7201 ~]# ip netns exec qrouter-250d8503-6126-4b81-83a8-5191f2382225 iptables -t nat -S | grep DNAT
    -A neutron-l3-agent-OUTPUT -d 192.169.142.152/32 -j DNAT --to-destination 50.0.0.12
    -A neutron-l3-agent-POSTROUTING ! -i qg-ca51fbf6-f0 ! -o qg-ca51fbf6-f0 -m conntrack ! --ctstate DNAT -j ACCEPT
    -A neutron-l3-agent-PREROUTING -d 192.169.142.152/32 -j DNAT --to-destination 50.0.0.12
    -A neutron-l3-agent-snat -m mark ! --mark 0x2/0xffff -m conntrack --ctstate DNAT -j SNAT --to-source 192.169.142.150

Thus VM1 even not having FIP will be able ssh into FIP 192.169.142.152. In case DVR_SNAT mode set up for L3 routing ip netns exec snat-xxxxxxxx iptables -t nat -S | grep DNAT will be empty . TCP/IP transmission supposed to reach same FIP won't be properly routed by SNAT part of distributed router located on Controller/Network Node . As far as this VM will obtain FIP transmission will be routed via outgoing fg interface of fip-xxxxxxxx namespace located on Compute Node and supporting DNAT.
END UPDATE

UPDATE 03/15/2016 11:20 MSK
VM1 (CirrOS) has only private IP 50.0.0.12 pings FIP 172.24.4.233 of VM2 (Ubuntu 15.10) with private IP 50.0.0.14
On VM2 :-

# tcpdump -lnpi eth0
 09:54:02.865602 IP 50.0.0.12 > 50.0.0.14: ICMP echo request, id 20481, seq 5, length 64
 09:54:02.865632 IP 50.0.0.14 > 50.0.0.12: ICMP echo reply, id 20481, seq 5, length 64
 09:54:02.867440 ARP, Request who-has 50.0.0.12 tell 50.0.0.14, length 28
 09:54:02.867758 ARP, Reply 50.0.0.12 is-at fa:16:3e:9a:7b:02, length 28
 09:54:03.865813 IP 50.0.0.12 > 50.0.0.14: ICMP echo request, id 20481, seq 6, length 64
 09:54:03.865842 IP 50.0.0.14 > 50.0.0.12: ICMP echo reply, id 20481, seq 6, length 64

From tcpdump report I see that VM2 (50.0.0.14) issues ARP Request who has 50.0.0.12
Now I stop VMs and associate FIP for CirrOS VM1 , dissociate FIP from Ubuntu VM2
Start both VMs and attempt ping FIP of VM1(CirrOS - 50.0.0.15) from VM2 (Ubuntu - 50.0.0.14) .
Run ping via VNC console and logged into VM2 via qdhcp-namespace on Network Node to start tcpdump
on VM issues pings

11:03 ...
(more)
edit flag offensive delete link more

Comments

Yes, I have the same behavior when I use tcpdump. But the problem is that TCP requests don't work.

mariusleu gravatar imagemariusleu ( 2016-03-15 05:59:34 -0500 )edit

I would make a simple test ( no DVR ) . Two VMs . VM1 (FIP1,PIV1) VM2 (PIV2) belongs same tenant.
Try access VM1's FIP from VM2 via ssh ( just upload ssh-keypair) to VM2 and dissociate it's FIP. I am expecting failure.

dbaxps gravatar imagedbaxps ( 2016-03-15 07:58:55 -0500 )edit

However, without DVR success. DVR does matter here.

dbaxps gravatar imagedbaxps ( 2016-03-15 12:21:20 -0500 )edit
0

answered 2016-03-15 17:05:30 -0500

mariusleu gravatar image
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2016-03-14 09:26:08 -0500

Seen: 472 times

Last updated: Mar 15 '16