Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Problem with no traffic using VXLAN provider network type

Hello, guys!

I need help with VXLAN tunnelling in Openstack environment.

Recently I've installed Openstack (Pike Release) on five nodes: 3 controllers + 2 compute hosts. My configuration is default: Keystone, Nova, Neutron, Glance, Cinder, Horizon. Everything was fine until I've started to test connectivity between instances...

I should notice, that I have no problem with VLAN networks, only with VXLAN. So, my problem is:

  1. Create new private network (provider type - VXLAN ) and private subnet - OK.

  2. Create two instances with interfaces attached to this network (static ips) - OK.

  3. Ping one instance from another - FAILED, 100% packages lost.

Of course, security groups are updated to allow ICMP traffic, so it's not the point.

Instances were created either on different compute hosts or on the same node.

While debugging this issue I've discovered that 'arp -n' command in instance shows MAC address of another instance. Tcpdump show me ARP replies and ARP requests, but no ICMP packages at all. Besides, ‘tcpdump –i any port 4789’ command doesn't show ANY traffic!

Some config files and ovs tables are attached.

On COMPUTE nodes:

ifconfig

bond0     Link encap:Ethernet  HWaddr 68:05:ca:45:d9:e5
          UP BROADCAST RUNNING MASTER MULTICAST  MTU:1500  Metric:1
          RX packets:16190415 errors:0 dropped:68 overruns:0 frame:0
          TX packets:16767959 errors:0 dropped:24 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5151211782 (5.1 GB)  TX bytes:5295572182 (5.2 GB)

bond1     Link encap:Ethernet  HWaddr 96:43:71:6d:c9:5c
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

bond0.400 Link encap:Ethernet  HWaddr 68:05:ca:45:d9:e5
          inet addr:172.31.200.26  Bcast:172.31.200.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5988934 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5943793 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:312858765 (312.8 MB)  TX bytes:386704939 (386.7 MB)

bond0.406 Link encap:Ethernet  HWaddr 68:05:ca:45:d9:e5
          inet addr:172.31.206.26  Bcast:172.31.206.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1711410 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1399971 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1363079442 (1.3 GB)  TX bytes:843095076 (843.0 MB)

bond0.408 Link encap:Ethernet  HWaddr 68:05:ca:45:d9:e5
          inet addr:172.31.208.26  Bcast:172.31.208.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

bond0.850 Link encap:Ethernet  HWaddr 68:05:ca:45:d9:e5
          inet addr:10.0.230.34  Bcast:10.0.230.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6394603 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7019432 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3162439699 (3.1 GB)  TX bytes:3933566387 (3.9 GB)

br0       Link encap:Ethernet  HWaddr 68:05:ca:45:d9:e4
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5493854 errors:0 dropped:206 overruns:0 frame:0
          TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:376936449 (376.9 MB)  TX bytes:462 (462.0 B)

ens1f0    Link encap:Ethernet  HWaddr 68:05:ca:45:d9:e4
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:797092 errors:0 dropped:0 overruns:0 frame:0
          TX packets:17803 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:172850020 (172.8 MB)  TX bytes:2128004 (2.1 MB)

ens1f1    Link encap:Ethernet  HWaddr 68:05:ca:45:d9:e5
          UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1
          RX packets:9424511 errors:0 dropped:17 overruns:0 frame:0
          TX packets:8755638 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3971842836 (3.9 GB)  TX bytes:2682094118 (2.6 GB)

ens2f0    Link encap:Ethernet  HWaddr 68:05:ca:45:d9:e5
          UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1
          RX packets:6928379 errors:0 dropped:51 overruns:0 frame:0
          TX packets:8114709 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1279238081 (1.2 GB)  TX bytes:2625290638 (2.6 GB)

ens2f1    Link encap:Ethernet  HWaddr 68:05:ca:45:dd:dd
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6892359 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16832 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:422653970 (422.6 MB)  TX bytes:2085230 (2.0 MB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:14727964 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14727964 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:766031713 (766.0 MB)  TX bytes:766031713 (766.0 MB)

qbr01d42d29-80 Link encap:Ethernet  HWaddr 86:05:47:a0:c9:54
          UP BROADCAST RUNNING MULTICAST  MTU:1450  Metric:1
          RX packets:43 errors:0 dropped:8 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:8914 (8.9 KB)  TX bytes:0 (0.0 B)

qbre5320297-ad Link encap:Ethernet  HWaddr 12:ba:d0:01:02:d6
          UP BROADCAST RUNNING MULTICAST  MTU:1450  Metric:1
          RX packets:75 errors:0 dropped:16 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:17886 (17.8 KB)  TX bytes:0 (0.0 B)

qvb01d42d29-80 Link encap:Ethernet  HWaddr 86:05:47:a0:c9:54
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1450  Metric:1
          RX packets:11 errors:0 dropped:0 overruns:0 frame:0
          TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:660 (660.0 B)  TX bytes:8856 (8.8 KB)

qvbe5320297-ad Link encap:Ethernet  HWaddr 12:ba:d0:01:02:d6
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1450  Metric:1
          RX packets:41 errors:0 dropped:0 overruns:0 frame:0
          TX packets:34 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:9396 (9.3 KB)  TX bytes:9540 (9.5 KB)

qvo01d42d29-80 Link encap:Ethernet  HWaddr ca:e3:3d:f2:7d:8d
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1450  Metric:1
          RX packets:32 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:8856 (8.8 KB)  TX bytes:660 (660.0 B)

qvoe5320297-ad Link encap:Ethernet  HWaddr ae:74:43:5b:78:d1
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1450  Metric:1
          RX packets:34 errors:0 dropped:0 overruns:0 frame:0
          TX packets:41 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:9540 (9.5 KB)  TX bytes:9396 (9.3 KB)

tap01d42d29-80 Link encap:Ethernet  HWaddr fe:16:3e:57:57:a9
          UP BROADCAST RUNNING MULTICAST  MTU:1450  Metric:1
          RX packets:32 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:8856 (8.8 KB)  TX bytes:704 (704.0 B)

tape5320297-ad Link encap:Ethernet  HWaddr fe:16:3e:23:35:33
          UP BROADCAST RUNNING MULTICAST  MTU:1450  Metric:1
          RX packets:34 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:9540 (9.5 KB)  TX bytes:1160 (1.1 KB)

virbr0    Link encap:Ethernet  HWaddr 52:54:00:3c:be:bb
          inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

vlan407   Link encap:Ethernet  HWaddr c2:b2:f0:fa:7c:8a
          inet addr:172.31.207.26  Bcast:172.31.207.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:573385 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:26375710 (26.3 MB)  TX bytes:0 (0.0 B)

/etc/neutron/plugins/ml2/ml2_conf.ini

[DEFAULT]
[ml2]
type_drivers = vxlan,flat,vlan
tenant_network_types = vxlan
mechanism_drivers = openvswitch,l2population
extension_drivers = port_security,qos
[ml2_type_flat]
flat_networks = *
[ml2_type_geneve]
[ml2_type_gre]
[ml2_type_vlan]
network_vlan_ranges = external:100:4000
[ml2_type_vxlan]
vni_ranges = 65537:69999
[securitygroup]
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
enable_security_group = True
enable_ipset = True

/etc/neutron/plugins/ml2/openvswitch_agent.ini

[DEFAULT]
[agent]
tunnel_types = vxlan
vxlan_udp_port = 4789
l2_population = True
arp_responder = True
enable_distributed_routing = True
extensions = qos
[ovs]
local_ip = 172.31.207.26
bridge_mappings = external:br0
of_interface = native
ovsdb_interface = vsctl
[securitygroup]
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
enable_security_group = True
enable_ipset = True
[xenapi]

ovs-vsctl show

eac1eb7d-4ce6-42d2-8579-0ec53abef392
    Manager "ptcp:6640:127.0.0.1"
        is_connected: true
    Bridge br-tun
        fail_mode: secure
        Port br-tun
            Interface br-tun
                type: internal
        Port "vxlan-ac1fcf15"
            Interface "vxlan-ac1fcf15"
                type: vxlan
                options: {df_default="true", in_key=flow, local_ip="172.31.207.26", out_key=flow, remote_ip="172.31.207.21"}
        Port patch-int
            Interface patch-int
                type: patch
                options: {peer=patch-tun}
        Port "vxlan-ac1fcf14"
            Interface "vxlan-ac1fcf14"
                type: vxlan
                options: {df_default="true", in_key=flow, local_ip="172.31.207.26", out_key=flow, remote_ip="172.31.207.20"}
    Bridge "br0"
        fail_mode: secure
        Port "phy-br0"
            Interface "phy-br0"
                type: patch
                options: {peer="int-br0"}
        Port "vlan407"
            tag: 407
            Interface "vlan407"
                type: internal
        Port "bond1"
            Interface "ens1f0"
            Interface "ens2f1"
        Port "br0"
            Interface "br0"
                type: internal
    Bridge br-int
        fail_mode: secure
        Port "int-br0"
            Interface "int-br0"
                type: patch
                options: {peer="phy-br0"}
        Port "qvoe5320297-ad"
            tag: 4
            Interface "qvoe5320297-ad"
        Port br-int
            Interface br-int
                type: internal
        Port patch-tun
            Interface patch-tun
                type: patch
                options: {peer=patch-int}
        Port "qvo01d42d29-80"
            tag: 4
            Interface "qvo01d42d29-80"
        Port "fg-d6013cfc-40"
            tag: 1
            Interface "fg-d6013cfc-40"
                type: internal
    ovs_version: "2.8.1"

ovs-ofctl dump-flows br-int

 cookie=0x1f154e366ea1f9c0, duration=5912.327s, table=0, n_packets=0, n_bytes=0, priority=10,icmp6,in_port="qvoe5320297-ad",icmp_type=136 actions=resubmit(,24)
 cookie=0x1f154e366ea1f9c0, duration=589.245s, table=0, n_packets=0, n_bytes=0, priority=10,icmp6,in_port="qvo01d42d29-80",icmp_type=136 actions=resubmit(,24)
 cookie=0x1f154e366ea1f9c0, duration=5911.977s, table=0, n_packets=0, n_bytes=0, priority=10,arp,in_port="qvoe5320297-ad" actions=resubmit(,24)
 cookie=0x1f154e366ea1f9c0, duration=588.888s, table=0, n_packets=0, n_bytes=0, priority=10,arp,in_port="qvo01d42d29-80" actions=resubmit(,24)
 cookie=0x1f154e366ea1f9c0, duration=341335.624s, table=0, n_packets=3160777, n_bytes=204995139, priority=2,in_port="int-br0" actions=drop
 cookie=0x1f154e366ea1f9c0, duration=5912.654s, table=0, n_packets=27, n_bytes=8690, priority=9,in_port="qvoe5320297-ad" actions=resubmit(,25)
 cookie=0x1f154e366ea1f9c0, duration=589.604s, table=0, n_packets=28, n_bytes=8256, priority=9,in_port="qvo01d42d29-80" actions=resubmit(,25)
 cookie=0x1f154e366ea1f9c0, duration=341317.816s, table=0, n_packets=596010, n_bytes=38150879, priority=3,in_port="int-br0",dl_vlan=404 actions=mod_vlan_vid:1,resubmit(,60)
 cookie=0x1f154e366ea1f9c0, duration=341341.802s, table=0, n_packets=31, n_bytes=2278, priority=0 actions=resubmit(,60)
 cookie=0x1f154e366ea1f9c0, duration=341336s, table=1, n_packets=0, n_bytes=0, priority=1 actions=drop
 cookie=0x1f154e366ea1f9c0, duration=341335.798s, table=2, n_packets=0, n_bytes=0, priority=1 actions=drop
 cookie=0x1f154e366ea1f9c0, duration=341336.170s, table=23, n_packets=0, n_bytes=0, priority=0 actions=drop
 cookie=0x1f154e366ea1f9c0, duration=5912.486s, table=24, n_packets=0, n_bytes=0, priority=2,icmp6,in_port="qvoe5320297-ad",icmp_type=136,nd_target=fe80::f816:3eff:fe23:3533 actions=resubmit(,60)
 cookie=0x1f154e366ea1f9c0, duration=589.441s, table=24, n_packets=0, n_bytes=0, priority=2,icmp6,in_port="qvo01d42d29-80",icmp_type=136,nd_target=fe80::f816:3eff:fe57:57a9 actions=resubmit(,60)
 cookie=0x1f154e366ea1f9c0, duration=5912.174s, table=24, n_packets=0, n_bytes=0, priority=2,arp,in_port="qvoe5320297-ad",arp_spa=192.168.88.13 actions=resubmit(,25)
 cookie=0x1f154e366ea1f9c0, duration=589.081s, table=24, n_packets=0, n_bytes=0, priority=2,arp,in_port="qvo01d42d29-80",arp_spa=192.168.88.21 actions=resubmit(,25)
 cookie=0x1f154e366ea1f9c0, duration=341341.476s, table=24, n_packets=0, n_bytes=0, priority=0 actions=drop
 cookie=0x1f154e366ea1f9c0, duration=5913.046s, table=25, n_packets=27, n_bytes=8690, priority=2,in_port="qvoe5320297-ad",dl_src=fa:16:3e:23:35:33 actions=resubmit(,60)
 cookie=0x1f154e366ea1f9c0, duration=589.971s, table=25, n_packets=28, n_bytes=8256, priority=2,in_port="qvo01d42d29-80",dl_src=fa:16:3e:57:57:a9 actions=resubmit(,60)
 cookie=0x1f154e366ea1f9c0, duration=341341.631s, table=60, n_packets=597653, n_bytes=38277141, priority=3 actions=NORMAL

ovs-ofctl dump-flows br-tun

cookie=0x9a84ac5f51e28db3, duration=341344.011s, table=0, n_packets=596548, n_bytes=38222346, priority=1,in_port="patch-int" actions=resubmit(,1)
 cookie=0x9a84ac5f51e28db3, duration=5925.559s, table=0, n_packets=0, n_bytes=0, priority=1,in_port="vxlan-ac1fcf14" actions=resubmit(,4)
 cookie=0x9a84ac5f51e28db3, duration=5924.498s, table=0, n_packets=0, n_bytes=0, priority=1,in_port="vxlan-ac1fcf15" actions=resubmit(,4)
 cookie=0x9a84ac5f51e28db3, duration=341345.163s, table=0, n_packets=0, n_bytes=0, priority=0 actions=drop
 cookie=0x9a84ac5f51e28db3, duration=341343.638s, table=1, n_packets=596548, n_bytes=38222346, priority=0 actions=resubmit(,2)
 cookie=0x9a84ac5f51e28db3, duration=341345.162s, table=2, n_packets=207005, n_bytes=13247572, priority=1,arp,dl_dst=ff:ff:ff:ff:ff:ff actions=resubmit(,21)
 cookie=0x9a84ac5f51e28db3, duration=341345.161s, table=2, n_packets=393, n_bytes=36274, priority=0,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,20)
 cookie=0x9a84ac5f51e28db3, duration=341345.161s, table=2, n_packets=389150, n_bytes=24938500, priority=0,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,22)
 cookie=0x9a84ac5f51e28db3, duration=341345.161s, table=3, n_packets=0, n_bytes=0, priority=0 actions=drop
 cookie=0x9a84ac5f51e28db3, duration=5931.952s, table=4, n_packets=0, n_bytes=0, priority=1,tun_id=0x10055 actions=mod_vlan_vid:4,resubmit(,9)
 cookie=0x9a84ac5f51e28db3, duration=341345.161s, table=4, n_packets=0, n_bytes=0, priority=0 actions=drop
 cookie=0x9a84ac5f51e28db3, duration=341345.161s, table=6, n_packets=0, n_bytes=0, priority=0 actions=drop
 cookie=0x9a84ac5f51e28db3, duration=341343.827s, table=9, n_packets=0, n_bytes=0, priority=0 actions=resubmit(,10)
 cookie=0x9a84ac5f51e28db3, duration=341345.161s, table=10, n_packets=0, n_bytes=0, priority=1 actions=learn(table=20,hard_timeout=300,priority=1,cookie=0x9a84ac5f51e28db3,NXM_OF_VLAN_TCI[0..11],NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],load:0->NXM_OF_VLAN_TCI[],load:NXM_NX_TUN_ID[]->NXM_NX_TUN_ID[],output:NXM_OF_IN_PORT[]),output:"patch-int"
 cookie=0x9a84ac5f51e28db3, duration=5919.304s, table=20, n_packets=0, n_bytes=0, priority=2,dl_vlan=4,dl_dst=fa:16:3e:c3:cf:5e actions=strip_vlan,set_tunnel:0x10055,output:"vxlan-ac1fcf14"
 cookie=0x9a84ac5f51e28db3, duration=5918.782s, table=20, n_packets=0, n_bytes=0, priority=2,dl_vlan=4,dl_dst=fa:16:3e:fe:61:51 actions=strip_vlan,set_tunnel:0x10055,output:"vxlan-ac1fcf15"
 cookie=0x9a84ac5f51e28db3, duration=341345.161s, table=20, n_packets=0, n_bytes=0, priority=0 actions=resubmit(,22)
 cookie=0x9a84ac5f51e28db3, duration=5919.498s, table=21, n_packets=0, n_bytes=0, priority=1,arp,dl_vlan=4,arp_tpa=192.168.88.10 actions=move:NXM_OF_ETH_SRC[]->NXM_OF_ETH_DST[],mod_dl_src:fa:16:3e:c3:cf:5e,load:0x2->NXM_OF_ARP_OP[],move:NXM_NX_ARP_SHA[]->NXM_NX_ARP_THA[],move:NXM_OF_ARP_SPA[]->NXM_OF_ARP_TPA[],load:0xfa163ec3cf5e->NXM_NX_ARP_SHA[],load:0xc0a8580a->NXM_OF_ARP_SPA[],IN_PORT
 cookie=0x9a84ac5f51e28db3, duration=5918.961s, table=21, n_packets=0, n_bytes=0, priority=1,arp,dl_vlan=4,arp_tpa=192.168.88.11 actions=move:NXM_OF_ETH_SRC[]->NXM_OF_ETH_DST[],mod_dl_src:fa:16:3e:fe:61:51,load:0x2->NXM_OF_ARP_OP[],move:NXM_NX_ARP_SHA[]->NXM_NX_ARP_THA[],move:NXM_OF_ARP_SPA[]->NXM_OF_ARP_TPA[],load:0xfa163efe6151->NXM_NX_ARP_SHA[],load:0xc0a8580b->NXM_OF_ARP_SPA[],IN_PORT
 cookie=0x9a84ac5f51e28db3, duration=341345.160s, table=21, n_packets=206991, n_bytes=13246984, priority=0 actions=resubmit(,22)
 cookie=0x9a84ac5f51e28db3, duration=5925.459s, table=22, n_packets=66, n_bytes=18396, dl_vlan=4 actions=strip_vlan,set_tunnel:0x10055,output:"vxlan-ac1fcf14",output:"vxlan-ac1fcf15"
 cookie=0x9a84ac5f51e28db3, duration=341345.002s, table=22, n_packets=595997, n_bytes=38147220, priority=0 actions=drop

iptables -S

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N neutron-filter-top
-N neutron-openvswi-FORWARD
-N neutron-openvswi-INPUT
-N neutron-openvswi-OUTPUT
-N neutron-openvswi-i01d42d29-8
-N neutron-openvswi-ie5320297-a
-N neutron-openvswi-local
-N neutron-openvswi-o01d42d29-8
-N neutron-openvswi-oe5320297-a
-N neutron-openvswi-s01d42d29-8
-N neutron-openvswi-se5320297-a
-N neutron-openvswi-sg-chain
-N neutron-openvswi-sg-fallback
-A INPUT -j neutron-openvswi-INPUT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-openvswi-FORWARD
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-openvswi-OUTPUT
-A neutron-filter-top -j neutron-openvswi-local
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap01d42d29-80 --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap01d42d29-80 --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-out tape5320297-ad --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tape5320297-ad --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-openvswi-sg-chain
-A neutron-openvswi-INPUT -m physdev --physdev-in tap01d42d29-80 --physdev-is-bridged -m comment --comment "Direct incoming traffic from VM to the security group chain." -j neutron-openvswi-o01d42d29-8
-A neutron-openvswi-INPUT -m physdev --physdev-in tape5320297-ad --physdev-is-bridged -m comment --comment "Direct incoming traffic from VM to the security group chain." -j neutron-openvswi-oe5320297-a
-A neutron-openvswi-i01d42d29-8 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-openvswi-i01d42d29-8 -d 192.168.88.21/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-openvswi-i01d42d29-8 -d 255.255.255.255/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-openvswi-i01d42d29-8 -m set --match-set NIPv41e928859-1d20-46b6-a13b- src -j RETURN
-A neutron-openvswi-i01d42d29-8 -p icmp -j RETURN
-A neutron-openvswi-i01d42d29-8 -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-openvswi-i01d42d29-8 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-ie5320297-a -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-openvswi-ie5320297-a -d 192.168.88.13/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-openvswi-ie5320297-a -d 255.255.255.255/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-openvswi-ie5320297-a -m set --match-set NIPv41e928859-1d20-46b6-a13b- src -j RETURN
-A neutron-openvswi-ie5320297-a -p icmp -j RETURN
-A neutron-openvswi-ie5320297-a -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-openvswi-ie5320297-a -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-o01d42d29-8 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN
-A neutron-openvswi-o01d42d29-8 -j neutron-openvswi-s01d42d29-8
-A neutron-openvswi-o01d42d29-8 -p udp -m udp --sport 68 --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN
-A neutron-openvswi-o01d42d29-8 -p udp -m udp --sport 67 --dport 68 -m comment --comment "Prevent DHCP Spoofing by VM." -j DROP
-A neutron-openvswi-o01d42d29-8 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-openvswi-o01d42d29-8 -j RETURN
-A neutron-openvswi-o01d42d29-8 -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-openvswi-o01d42d29-8 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-oe5320297-a -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN
-A neutron-openvswi-oe5320297-a -j neutron-openvswi-se5320297-a
-A neutron-openvswi-oe5320297-a -p udp -m udp --sport 68 --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN
-A neutron-openvswi-oe5320297-a -p udp -m udp --sport 67 --dport 68 -m comment --comment "Prevent DHCP Spoofing by VM." -j DROP
-A neutron-openvswi-oe5320297-a -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-openvswi-oe5320297-a -j RETURN
-A neutron-openvswi-oe5320297-a -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-openvswi-oe5320297-a -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-s01d42d29-8 -s 192.168.88.21/32 -m mac --mac-source FA:16:3E:57:57:A9 -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN
-A neutron-openvswi-s01d42d29-8 -m comment --comment "Drop traffic without an IP/MAC allow rule." -j DROP
-A neutron-openvswi-se5320297-a -s 192.168.88.13/32 -m mac --mac-source FA:16:3E:23:35:33 -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN
-A neutron-openvswi-se5320297-a -m comment --comment "Drop traffic without an IP/MAC allow rule." -j DROP
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap01d42d29-80 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-i01d42d29-8
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap01d42d29-80 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-o01d42d29-8
-A neutron-openvswi-sg-chain -m physdev --physdev-out tape5320297-ad --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-ie5320297-a
-A neutron-openvswi-sg-chain -m physdev --physdev-in tape5320297-ad --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-oe5320297-a
-A neutron-openvswi-sg-chain -j ACCEPT
-A neutron-openvswi-sg-fallback -m comment --comment "Default drop rule for unmatched traffic." -j DROP

On ALL nodes:

uname –a

Linux 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

cat /etc/sysctl.conf

kernel.sysrq = 0
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.ip_forward = 0
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_timestamps=0
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_timestamps=0
net.ipv4.tcp_rmem="4096 87380 4194304"
net.ipv4.tcp_wmem="4096 65536 4194304"
net.ipv4.tcp_low_latency=1
net.ipv4.tcp_adv_win_scale=1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout=25
net.ipv4.tcp_keepalive_time=1800
net.ipv4.tcp_keepalive_probes=5
net.ipv4.tcp_keepalive_intvl=25
net.ipv4.tcp_congestion_control=westwood
net.core.netdev_max_backlog = 250000
net.core.rmem_max=4194304
net.core.wmem_max=4194304
net.core.rmem_default=4194304
net.core.wmem_default=4194304
net.core.optmem_max=4194304
vm.overcommit_memory = 1
vm.overcommit_ratio = 100
vm.swappiness = 0
fs.inotify.max_user_watches = 16777216
fs.inotify.max_queued_events = 65536
fs.inotify.max_user_instances = 10000

ethtool -k interface

rx-checksumming: on
tx-checksumming: on
        tx-checksum-ipv4: on
        tx-checksum-ip-generic: off [fixed]
        tx-checksum-ipv6: on
        tx-checksum-fcoe-crc: off [fixed]
        tx-checksum-sctp: on
scatter-gather: on
        tx-scatter-gather: on
        tx-scatter-gather-fraglist: off [fixed]
tcp-segmentation-offload: on
        tx-tcp-segmentation: on
        tx-tcp-ecn-segmentation: on
        tx-tcp6-segmentation: on
udp-fragmentation-offload: off [fixed]
generic-segmentation-offload: on
generic-receive-offload: on
large-receive-offload: off [fixed]
rx-vlan-offload: on
tx-vlan-offload: on
ntuple-filters: on
receive-hashing: on
highdma: on
rx-vlan-filter: on
vlan-challenged: off [fixed]
tx-lockless: off [fixed]
netns-local: off [fixed]
tx-gso-robust: off [fixed]
tx-fcoe-segmentation: off [fixed]
tx-gre-segmentation: on
tx-ipip-segmentation: off [fixed]
tx-sit-segmentation: off [fixed]
tx-udp_tnl-segmentation: on
fcoe-mtu: off [fixed]
tx-nocache-copy: off
loopback: off [fixed]
rx-fcs: off [fixed]
rx-all: off [fixed]
tx-vlan-stag-hw-insert: off [fixed]
rx-vlan-stag-hw-parse: off [fixed]
rx-vlan-stag-filter: off [fixed]
l2-fwd-offload: off [fixed]
busy-poll: off [fixed]
hw-tc-offload: off [fixed]

Openvswitch version is 2.8.1. Neutron-openvswitch-agent version is 11.0.2

Thanks in advice!

Annie