Ask Your Question
0

Openstack Networking issue. cannot ssh or ping the instances

asked 2016-05-25 05:29:02 -0500

heena gravatar image

I am not able to SSH/CURL/HTTP (or anything) to the instances running in my Openstack environment. I have Mitaka Version running on a VM with below config. I have create bridged network. I want to ping these instances from my VM(controller) and I want the instances to ping each other. I am able to ping each other with private IP but not with floating IP.

When I am trying to ping these instances form the controller(the openstack VM) I am not getting any response and SSH says connection refused on port 22. I am very new to openstack. And I really need to know what is wrong here. Let me know if any other information is needed.

ip a s

lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
   valid_lft forever preferred_lft forever
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master ovs-system state UP qlen 1000
link/ether 00:0c:29:59:72:b8 brd ff:ff:ff:ff:ff:ff
inet 192.168.80.136/24 brd 192.168.80.255 scope global eno16777736
   valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe59:72b8/64 scope link
   valid_lft forever preferred_lft forever
3: eno33554984: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:59:72:c2 brd ff:ff:ff:ff:ff:ff
inet 192.168.159.130/24 brd 192.168.159.255 scope global dynamic eno33554984
   valid_lft 1143sec preferred_lft 1143sec
inet6 fe80::20c:29ff:fe59:72c2/64 scope link
   valid_lft forever preferred_lft forever
4: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN
link/ether ce:76:29:1d:bc:ce brd ff:ff:ff:ff:ff:ff
5: br-int: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN
link/ether 6e:76:97:17:97:41 brd ff:ff:ff:ff:ff:ff
6: br-ex: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether 00:0c:29:59:72:b8 brd ff:ff:ff:ff:ff:ff
inet 192.168.80.136/24 brd 192.168.80.255 scope global br-ex
   valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe59:72b8/64 scope link
   valid_lft forever preferred_lft forever
7: br-eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN
link/ether b6:e8:1a:90:6a:4a brd ff:ff:ff:ff:ff:ff

ovs-vsctl show

[root@controller ~]# ovs-vsctl show
4d26879a-71d4-4ac5-841b-d3fe720584fa
Bridge br-int
    fail_mode: secure
    Port "qvoed47d803-ce"
        tag: 2
        Interface "qvoed47d803-ce"
    Port "qvo96967a11-d3"
        tag: 1
        Interface "qvo96967a11-d3"
    Port "tap98e25736-d0"
        tag: 2
        Interface "tap98e25736-d0"
            type: internal
    Port "int-br-eth1"
        Interface "int-br-eth1"
            type: patch
            options: {peer="phy-br-eth1"}
    Port "tap0a1552a6-c1"
        tag: 2
        Interface "tap0a1552a6-c1"
            type: internal
    Port "tap34bbe49a-ae"
        tag: 2
        Interface "tap34bbe49a-ae"
            type: internal
    Port "tap2b6950fb-25"
        tag: 1
        Interface "tap2b6950fb-25"
            type: internal
    Port "qvo6e721fd4-77"
        tag: 2
        Interface "qvo6e721fd4-77"
    Port "qvo36b2b2b7-ad"
        tag ...
(more)
edit retag flag offensive close merge delete

Comments

Egress IPv4 ICMP Any 0.0.0.0/0 -
Ingress IPv4 ICMP Any 0.0.0.0/0 -
Ingress IPv4 TCP 1 - 65535 0.0.0.0/0 -
Egress IPv4 TCP 1 - 65535 0.0.0.0/0 -
Egress IPv4 UDP 1 - 65535 0.0.0.0/0 -
Ingress IPv4 UDP 1 - 65535 0.0.0.0/0

pandia gravatar imagepandia ( 2016-05-25 07:26:20 -0500 )edit

Change Access and security option as like above mentioned rule and check it out.

pandia gravatar imagepandia ( 2016-05-25 07:27:31 -0500 )edit

Add appropriate security groups to allow icmp and ssh as said by @pandia

Eduardo Gonzalez gravatar imageEduardo Gonzalez ( 2016-05-25 09:19:55 -0500 )edit

I have it Egress IPv6 Any Any ::/0 -
Egress IPv4 Any Any 0.0.0.0/0 -
Ingress IPv4 ICMP Any 0.0.0.0/0 -
Egress IPv4 ICMP Any 0.0.0.0/0 -
Ingress IPv4 TCP 22 (SSH) 0.0.0.0/0 -
Ingress IPv4 TCP 80 (HTTP) - sec1
Ingress IPv4 TCP 443 (HTTPS) 0.0.0.0/0

heena gravatar imageheena ( 2016-05-25 09:44:51 -0500 )edit

still trying but no luck it says port 22: Connection refused

heena gravatar imageheena ( 2016-05-25 09:46:43 -0500 )edit

3 answers

Sort by ยป oldest newest most voted
0

answered 2016-10-18 17:55:03 -0500

aegiacometti gravatar image

Perform a tcpdump on bridge and tap interface of your VM, just to see if you can follow the packet. Try to trace DHCP request/reply or ARP whoas and reply, as it goes troughout the interfaces.

Since you have VMs for compute, you might have the ports in promiscuos mode, and this can generate dupplicated packets, confusing wich port to use at the bridge.

You can test this using brctl showmacs command, at some point you will see the tap MAC associated to the wrong port number, or flapping from port to port in time.

If you are using VMWare, assign only one port to the VSwitch.

edit flag offensive delete link more
0

answered 2016-05-26 07:45:49 -0500

Michal gravatar image

I am assuming you are using DHCP.

Try to reduce MTU for instances to 1400 by creating custom dhcp file: /etc/neutron/dnsmasq-neutron.conf with following content:

dhcp-option-force=26,1400

Point to this file inside your /etc/neutron/dhcp_agent.ini file by editing this variable:

dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf

Restart neutron dhcp agent and try to create a new instance.

Hope this helps.

edit flag offensive delete link more
0

answered 2016-05-28 17:54:20 -0500

todotani gravatar image

updated 2016-05-28 22:47:48 -0500

You have created public network with ip address 172.31.0.0/24 and floating IP of nova instances are assigned from this public network ip address range such as 172.31.0.22 and 172.31.0.27.
But I don't see interface with ip address 172.31.0.0/24 from log of "ip a" command. May be you miss to set up port "eth1", because command response of ovs-vsctl shows error "could not open network device eth1 (No such device)".

Regularly, public network ip range should be muched with ip address range of br-ex interface address.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2016-05-25 05:29:02 -0500

Seen: 388 times

Last updated: May 28 '16