Can't ping instance from controller or any other external hosts but can ping from compute node

asked 2016-10-05 03:41:35 -0600

tenk224 gravatar image

updated 2016-10-05 03:42:15 -0600

I'm deploying mitaka on 2 nodes which is controller and compute. the problem is I can't ping instance from controller or any external host except for compute node where I can ping the instance well. from the instance I can ping the gw and even the controller or other host but not the other way around I used tcpdump when ping from instance to controller and everything is ok. when ping form controller to instance, instance reply its mac-add to controller but did not reply icmp packet from controller. I also added rules for icmp in openstack but it didn't work. figured out there is something blocking the instance from replying the icmp packet. I also looked for iptables and that's not much help either.

anyone has any suggestion ? I will appreciate that been struggling with this for weeks.

I will post any output if you need

answered 2016-10-05 17:02:15 -0600

VSR gravatar image

updated 2016-10-05 17:03:17 -0600

HI, You have not mentioned a few things.

1.) is instance content to private network?
2.) have you associated a floating IP to instance to be reachable from
3.) are u pinging the private address from the controller? if yes.
are you using the right namespace on
the (Network) controller to ping the
4.) Try updating the security group to allow Any IP traffic inbound.
5.) can u do TCP dump on the instance itself to see what packets
are going through?
6.) Check the ARP table on the instance.
7.) You can do a TCPdump on the TAP interface on the compute node to
watch packets going through.

Hop that helps drill down. -VJ.

I will sort things up compute, controller and instance are on the same subnet

  • from compute: ping instance okay
  • from controller: can not ping instance
  • from instance: can ping controller, compute, gw and can access internet

1.yes 4. already did 5. it is cirros

tenk224 gravatar imagetenk224 ( 2016-10-06 01:42:45 -0600 )edit

answered 2016-10-06 02:30:21 -0600

tenk224 gravatar image

updated 2016-10-06 02:52:47 -0600

I solved the problem myself. The issue is in the iptables so I decided to switch it off by doing the following

in /etc/neutron/plugins/ml2/linuxbridge_agent.ini of both controller and compute node

enable_security_group = False
firewall_driver = neutron.agent.firewall.NoopFirewallDriver

for anyone out there has this plz try it, it worked for me, fear no more, no sleepless night wondering why. Cheers ref (

Asked: 2016-10-05 03:41:35 -0600

Seen: 1,609 times

Last updated: Oct 06 '16