fwaas create/delete both in pending status

asked 2013-12-19 07:54:14 -0500

I was trying the FWAAS functionality. I created the rule, the policy and at the end the firewall which was hanging in the PENDING_CREATE status. So I decide to delete it but olso this operation is hanging in PENDING_DELETE status.

How can fix it? I run Havana



Login to MySQL database where you run neutron database. Then execute following queries use neutron; SELECT * FROM firewalls; DELETE FROM firewalls WHERE name='<firewall_name>'; <firewall_name> denotes name of the firewall as seen in the previous query output. Once properly configured, DELETE firewall option will work from the horizon itself.

Manikantan gravatar imageManikantan ( 2014-04-16 12:57:21 -0500 )edit

answered 2014-04-15 03:55:53 -0500

Add following line in neutron.conf (both in controller node where neutron-server is installed and network node where L3 agent is installed)

# Advanced service modules
service_plugins =,


For LBaas - add following lines in /etc/neutron/lbaas_agent.ini interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver device_driver = user_group = haproxy

Note: Above line takes care of both LBaaS and FWaaS. Remember to restart the services for the changes to take effect. Some article said lbaas_agent.ini to be present under /etc/neutron/plugins/services/agent_loadbalancer/. But it didn't work for me. neutron-lbaas-agent will fail to start. Log files gives us the clue most of the time. Got error like "CRITICAL neutron [-] 'NoneType' object has no attribute 'rpartition'" in lbaas-agent.log and then moved lbaas_agent.ini under /etc/neutron. Now, neutron-lbaas-agent service successfully runs and we are able to create firewall and LB pools from horizon and it becomes active.

Hi, I remember seeing Network Topology diagram with firewall. Even after adding firewall, I am not able to see it. Wondering if we need to do any config changes in Apache configuration or anywhere - which will enable this.

Manikantan gravatar imageManikantan ( 2014-04-16 01:34:40 -0500 )edit

You won't see a firewall in the topology diagram. In Havana, all firewalls build as one logical firewall applying over all routers. The diagram you saw probably had a superimposed firewall symbol on the router. I have seen a few of those floating around. Have you check if the firewall rule is functional?

SamYaple gravatar imageSamYaple ( 2014-04-16 09:03:37 -0500 )edit

I had a similar problemen. Deleting went fine but a newly created firewall stopped at PENDING_CREATE. It now seems to only effect the admin account. The (demo) user works just fine for me.

I have a separate network node and a central controller node. When i set the [service_providers] section on the controller node everything stops working. When i set the [service_providers] section only on the network node it all seems ok.

cees gravatar imagecees ( 2014-07-24 05:29:00 -0500 )edit

I had a similar issue when installing a vendor firewall plugin. The /var/log/neutron/l3-agent.log usually provides more information on what could have gone wrong.

vishwanathj gravatar imagevishwanathj ( 2014-11-19 16:29:29 -0500 )edit

answered 2014-12-16 06:18:06 -0500

Try this: (

