Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Neutron Router fails to access external network

My setup is a three node Icehouse install, using Ubuntu 14.04 and using VLAN's on both the switch and neutron. An instance can be booted and receives an IP address from the demo-network. When a floating IP address is created and added to the instance, it is done without error. However when we try to ping the address, it says 'Destination Host Unreachable'.

Looking into the router namespace on the network node and pinging the instance, it can be accessed, however if I then attempt to access the network gateway, or another address on the network it brings up the same host unreachable message. This has led me to believe that the problem lies in the router getting access to the external network. Routing on the router namespace seems correct, however below are a few details to help.

ovs-vsctl show on the network node:

 Bridge br-ex
        Port br-ex
            Interface br-ex
                type: internal
        Port access
            tag: 1
            Interface access
                type: internal
        Port tunnel
            tag: 91
            Interface tunnel
                type: internal
        Port "em1"
            Interface "em1"
        Port manage
            tag: 90
            Interface manage
                type: internal
        Port phy-br-ex
            Interface phy-br-ex
        Port "qg-e0568127-66"
            Interface "qg-e0568127-66"
                type: internal
    Bridge br-int
        fail_mode: secure
        Port br-int
            Interface br-int
                type: internal
        Port int-br-ex
            Interface int-br-ex
        Port "tapc6621d51-92"
            tag: 1
            Interface "tapc6621d51-92"
        Port "qr-8518aa2a-53"
            tag: 1
            Interface "qr-8518aa2a-53"
                type: internal
    ovs_version: "2.0.2"

ovs-vsctl show on the compute node:

Bridge br-int
        fail_mode: secure
        Port "qvo2413c721-39"
            tag: 7
            Interface "qvo2413c721-39"
        Port int-br-ex
            Interface int-br-ex
        Port br-int
            Interface br-int
                type: internal
    Bridge br-ex
        Port br-ex
            Interface br-ex
                type: internal
        Port phy-br-ex
            Interface phy-br-ex
        Port tunnel
            tag: 91
            Interface tunnel
                type: internal
        Port manage
            tag: 90
            Interface manage
                type: internal
        Port "em1"
            Interface "em1"
        Port access
            tag: 1
            Interface access
                type: internal
    ovs_version: "2.0.2"

neutron router-show demo-router

+-----------------------+-----------------------------------------------------------------------------+
| Field                        | Value                                                                                    |
+-----------------------+-----------------------------------------------------------------------------+
| admin_state_up        | True                                                                                      |
| external_gateway_info | {"network_id": "5d3d7aeb-74d2-4dd9-b225-fcaae42f8491", "enable_snat": true} |
| id                            | af5defb3-489a-4b67-ac3f-dd106ef244f3                                   |
| name                       | demo-router                                                                           |
| routes                      |                                                                                              |
| status                       | ACTIVE                                                                                  |
| tenant_id             | 939df6198eba4f6fba7e9ca5ca4177dc                                            |
+-----------------------+-----------------------------------------------------------------------------+

As I said before we can ping and ssh from the router namespace on the network node, so the security group rules are fine, but without the router getting external access, the instance doesn't have external access either.

If anyone has any suggestions at solving this issue it would be appreciated.

Neutron Router fails to access external network

My setup is a three node Icehouse install, using Ubuntu 14.04 and using VLAN's on both the switch and neutron. An instance can be booted and receives an IP address from the demo-network. When a floating IP address is created and added to the instance, it is done without error. However when we try to ping the address, it says 'Destination Host Unreachable'.

Looking into the router namespace on the network node and pinging the instance, it can be accessed, however if I then attempt to access the network gateway, or another address on the network it brings up the same host unreachable message. This has led me to believe that the problem lies in the router getting access to the external network. Routing on the router namespace seems correct, however below are a few details to help.

ovs-vsctl show on the network node:

 Bridge br-ex
        Port br-ex
            Interface br-ex
                type: internal
        Port access
            tag: 1
            Interface access
                type: internal
        Port tunnel
            tag: 91
            Interface tunnel
                type: internal
        Port "em1"
            Interface "em1"
        Port manage
            tag: 90
            Interface manage
                type: internal
        Port phy-br-ex
            Interface phy-br-ex
        Port "qg-e0568127-66"
            Interface "qg-e0568127-66"
                type: internal
    Bridge br-int
        fail_mode: secure
        Port br-int
            Interface br-int
                type: internal
        Port int-br-ex
            Interface int-br-ex
        Port "tapc6621d51-92"
            tag: 1
            Interface "tapc6621d51-92"
        Port "qr-8518aa2a-53"
            tag: 1
            Interface "qr-8518aa2a-53"
                type: internal
    ovs_version: "2.0.2"

ovs-vsctl show on the compute node:

Bridge br-int
        fail_mode: secure
        Port "qvo2413c721-39"
            tag: 7
            Interface "qvo2413c721-39"
        Port int-br-ex
            Interface int-br-ex
        Port br-int
            Interface br-int
                type: internal
    Bridge br-ex
        Port br-ex
            Interface br-ex
                type: internal
        Port phy-br-ex
            Interface phy-br-ex
        Port tunnel
            tag: 91
            Interface tunnel
                type: internal
        Port manage
            tag: 90
            Interface manage
                type: internal
        Port "em1"
            Interface "em1"
        Port access
            tag: 1
            Interface access
                type: internal
    ovs_version: "2.0.2"

neutron router-show demo-router

+-----------------------+-----------------------------------------------------------------------------+
| Field                        | Value                                                                                    |
+-----------------------+-----------------------------------------------------------------------------+
| admin_state_up        | True                                                                                      |
| external_gateway_info | {"network_id": "5d3d7aeb-74d2-4dd9-b225-fcaae42f8491", "enable_snat": true} |
| id                            | af5defb3-489a-4b67-ac3f-dd106ef244f3                                   |
| name                       | demo-router                                                                           |
| routes                      |                                                                                              |
| status                       | ACTIVE                                                                                  |
| tenant_id             | 939df6198eba4f6fba7e9ca5ca4177dc                                            |
+-----------------------+-----------------------------------------------------------------------------+

As I said before we can ping and ssh from the router namespace on the network node, so the security group rules are fine, but without the router getting external access, the instance doesn't have external access either.

If anyone has any suggestions at solving this issue it would be appreciated.

[EDIT] Result of ip netns exec qrouter-xxx ip addr:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
34: qr-8518aa2a-53: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default 
    link/ether fa:16:3e:56:21:d4 brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.1/24 brd 192.168.100.255 scope global qr-8518aa2a-53
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fe56:21d4/64 scope link 
       valid_lft forever preferred_lft forever
35: qg-e0568127-66: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default 
    link/ether fa:16:3e:39:d4:dd brd ff:ff:ff:ff:ff:ff
    inet xxx.xxx.xxx.13/24 brd xxx.xxx.xxx.255 scope global qg-e0568127-66
       valid_lft forever preferred_lft forever
    inet xxx.xxx.xxx.14/32 brd xxx.xxx.xxx.14 scope global qg-e0568127-66
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fe39:d4dd/64 scope link 
       valid_lft forever preferred_lft forever

Result of ip netns exec qrouter-xxx route -n:

Kernel IP routing table
Destination          Gateway         Genmask     Flags Metric   Ref     Use    Iface
0.0.0.0             xxx.xxx.xxx.1     0.0.0.0         UG    0           0        0     qg-e0568127-66
xxx.xxx.xxx.0       0.0.0.0         255.255.255.0   U     0           0        0     qg-e0568127-66
192.168.100.0      0.0.0.0         255.255.255.0   U     0          0        0     qr-8518aa2a-53

Result of ip netns exec qrouter-xxx iptables -nvL:

Chain INPUT (policy ACCEPT 118 packets, 12089 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  118 12089 neutron-l3-agent-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 4 packets, 288 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    4   288 neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    4   288 neutron-l3-agent-FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 488 packets, 34282 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  488 34282 neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  488 34282 neutron-l3-agent-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-filter-top (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  492 34570 neutron-l3-agent-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-l3-agent-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            127.0.0.1            tcp dpt:9697

Chain neutron-l3-agent-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-local (1 references)
 pkts bytes target     prot opt in     out     source               destination

Neutron Router fails to access external network

My setup is a three node Icehouse install, using Ubuntu 14.04 and using VLAN's on both the switch and neutron. An instance can be booted and receives an IP address from the demo-network. When a floating IP address is created and added to the instance, it is done without error. However when we try to ping the address, it says 'Destination Host Unreachable'.

Looking into the router namespace on the network node and pinging the instance, it can be accessed, however if I then attempt to access the network gateway, or another address on the network it brings up the same host unreachable message. This has led me to believe that the problem lies in the router getting access to the external network. Routing on the router namespace seems correct, however below are a few details to help.

ovs-vsctl show on the network node:

 Bridge br-ex
        Port br-ex
            Interface br-ex
                type: internal
        Port access
            tag: 1
            Interface access
                type: internal
        Port tunnel
            tag: 91
            Interface tunnel
                type: internal
        Port "em1"
            Interface "em1"
        Port manage
            tag: 90
            Interface manage
                type: internal
        Port phy-br-ex
            Interface phy-br-ex
        Port "qg-e0568127-66"
            Interface "qg-e0568127-66"
                type: internal
    Bridge br-int
        fail_mode: secure
        Port br-int
            Interface br-int
                type: internal
        Port int-br-ex
            Interface int-br-ex
        Port "tapc6621d51-92"
            tag: 1
            Interface "tapc6621d51-92"
        Port "qr-8518aa2a-53"
            tag: 1
            Interface "qr-8518aa2a-53"
                type: internal
    ovs_version: "2.0.2"

ovs-vsctl show on the compute node:

Bridge br-int
        fail_mode: secure
        Port "qvo2413c721-39"
            tag: 7
            Interface "qvo2413c721-39"
        Port int-br-ex
            Interface int-br-ex
        Port br-int
            Interface br-int
                type: internal
    Bridge br-ex
        Port br-ex
            Interface br-ex
                type: internal
        Port phy-br-ex
            Interface phy-br-ex
        Port tunnel
            tag: 91
            Interface tunnel
                type: internal
        Port manage
            tag: 90
            Interface manage
                type: internal
        Port "em1"
            Interface "em1"
        Port access
            tag: 1
            Interface access
                type: internal
    ovs_version: "2.0.2"

neutron router-show demo-router

+-----------------------+-----------------------------------------------------------------------------+
| Field                        | Value                                                                                    |
+-----------------------+-----------------------------------------------------------------------------+
| admin_state_up        | True                                                                                      |
| external_gateway_info | {"network_id": "5d3d7aeb-74d2-4dd9-b225-fcaae42f8491", "enable_snat": true} |
| id                            | af5defb3-489a-4b67-ac3f-dd106ef244f3                                   |
| name                       | demo-router                                                                           |
| routes                      |                                                                                              |
| status                       | ACTIVE                                                                                  |
| tenant_id             | 939df6198eba4f6fba7e9ca5ca4177dc                                            |
+-----------------------+-----------------------------------------------------------------------------+

As I said before we can ping and ssh from the router namespace on the network node, so the security group rules are fine, but without the router getting external access, the instance doesn't have external access either.

If anyone has any suggestions at solving this issue it would be appreciated.

[EDIT] Result of ip netns exec qrouter-xxx ip addr:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
34: qr-8518aa2a-53: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default 
    link/ether fa:16:3e:56:21:d4 brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.1/24 brd 192.168.100.255 scope global qr-8518aa2a-53
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fe56:21d4/64 scope link 
       valid_lft forever preferred_lft forever
35: qg-e0568127-66: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default 
    link/ether fa:16:3e:39:d4:dd brd ff:ff:ff:ff:ff:ff
    inet xxx.xxx.xxx.13/24 brd xxx.xxx.xxx.255 scope global qg-e0568127-66
       valid_lft forever preferred_lft forever
    inet xxx.xxx.xxx.14/32 brd xxx.xxx.xxx.14 scope global qg-e0568127-66
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fe39:d4dd/64 scope link 
       valid_lft forever preferred_lft forever

Result of ip netns exec qrouter-xxx route -n:

Kernel IP routing table
Destination          Gateway         Genmask     Flags Metric   Ref     Use    Iface
0.0.0.0             xxx.xxx.xxx.1     0.0.0.0         UG    0           0        0     qg-e0568127-66
xxx.xxx.xxx.0       0.0.0.0         255.255.255.0   U     0           0        0     qg-e0568127-66
192.168.100.0      0.0.0.0         255.255.255.0   U     0          0        0     qr-8518aa2a-53

Result of ip netns exec qrouter-xxx iptables -nvL:

Chain INPUT (policy ACCEPT 118 packets, 12089 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  118 12089 neutron-l3-agent-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 4 packets, 288 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    4   288 neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    4   288 neutron-l3-agent-FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 488 packets, 34282 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  488 34282 neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  488 34282 neutron-l3-agent-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-filter-top (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  492 34570 neutron-l3-agent-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-l3-agent-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            127.0.0.1            tcp dpt:9697

Chain neutron-l3-agent-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-local (1 references)
 pkts bytes target     prot opt in     out     source               destination

[EDIT]

ifconfig em1 network:

em1       Link encap:Ethernet  HWaddr 44:37:e6:89:ee:04  
          inet6 addr: fe80::4637:e6ff:fe89:ee04/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:541456 errors:0 dropped:0 overruns:0 frame:0
          TX packets:147892 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:78120346 (78.1 MB)  TX bytes:33963191 (33.9 MB)
          Interrupt:20 Memory:fe500000-fe520000

ifconfig em1 compute:

em1       Link encap:Ethernet  HWaddr 44:37:e6:89:ed:f3  
          inet6 addr: fe80::4637:e6ff:fe89:edf3/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:713233 errors:0 dropped:0 overruns:0 frame:0
          TX packets:348725 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:144110079 (144.1 MB)  TX bytes:88408380 (88.4 MB)
          Interrupt:20 Memory:fe500000-fe520000

Neutron Router fails to access external network

My setup is a three node Icehouse install, using Ubuntu 14.04 and using VLAN's on both the switch and neutron. An instance can be booted and receives an IP address from the demo-network. When a floating IP address is created and added to the instance, it is done without error. However when we try to ping the address, it says 'Destination Host Unreachable'.

Looking into the router namespace on the network node and pinging the instance, it can be accessed, however if I then attempt to access the network gateway, or another address on the network it brings up the same host unreachable message. This has led me to believe that the problem lies in the router getting access to the external network. Routing on the router namespace seems correct, however below are a few details to help.

ovs-vsctl show on the network node:

 Bridge br-ex
        Port br-ex
            Interface br-ex
                type: internal
        Port access
            tag: 1
            Interface access
                type: internal
        Port tunnel
            tag: 91
            Interface tunnel
                type: internal
        Port "em1"
            Interface "em1"
        Port manage
            tag: 90
            Interface manage
                type: internal
        Port phy-br-ex
            Interface phy-br-ex
        Port "qg-e0568127-66"
            Interface "qg-e0568127-66"
                type: internal
    Bridge br-int
        fail_mode: secure
        Port br-int
            Interface br-int
                type: internal
        Port int-br-ex
            Interface int-br-ex
        Port "tapc6621d51-92"
            tag: 1
            Interface "tapc6621d51-92"
        Port "qr-8518aa2a-53"
            tag: 1
            Interface "qr-8518aa2a-53"
                type: internal
    ovs_version: "2.0.2"

ovs-vsctl show on the compute node:

Bridge br-int
        fail_mode: secure
        Port "qvo2413c721-39"
            tag: 7
            Interface "qvo2413c721-39"
        Port int-br-ex
            Interface int-br-ex
        Port br-int
            Interface br-int
                type: internal
    Bridge br-ex
        Port br-ex
            Interface br-ex
                type: internal
        Port phy-br-ex
            Interface phy-br-ex
        Port tunnel
            tag: 91
            Interface tunnel
                type: internal
        Port manage
            tag: 90
            Interface manage
                type: internal
        Port "em1"
            Interface "em1"
        Port access
            tag: 1
            Interface access
                type: internal
    ovs_version: "2.0.2"

neutron router-show demo-router

+-----------------------+-----------------------------------------------------------------------------+
| Field                        | Value                                                                                    |
+-----------------------+-----------------------------------------------------------------------------+
| admin_state_up        | True                                                                                      |
| external_gateway_info | {"network_id": "5d3d7aeb-74d2-4dd9-b225-fcaae42f8491", "enable_snat": true} |
| id                            | af5defb3-489a-4b67-ac3f-dd106ef244f3                                   |
| name                       | demo-router                                                                           |
| routes                      |                                                                                              |
| status                       | ACTIVE                                                                                  |
| tenant_id             | 939df6198eba4f6fba7e9ca5ca4177dc                                            |
+-----------------------+-----------------------------------------------------------------------------+

As I said before we can ping and ssh from the router namespace on the network node, so the security group rules are fine, but without the router getting external access, the instance doesn't have external access either.

If anyone has any suggestions at solving this issue it would be appreciated.

[EDIT] Result of ip netns exec qrouter-xxx ip addr:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
34: qr-8518aa2a-53: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default 
    link/ether fa:16:3e:56:21:d4 brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.1/24 brd 192.168.100.255 scope global qr-8518aa2a-53
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fe56:21d4/64 scope link 
       valid_lft forever preferred_lft forever
35: qg-e0568127-66: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default 
    link/ether fa:16:3e:39:d4:dd brd ff:ff:ff:ff:ff:ff
    inet xxx.xxx.xxx.13/24 brd xxx.xxx.xxx.255 scope global qg-e0568127-66
       valid_lft forever preferred_lft forever
    inet xxx.xxx.xxx.14/32 brd xxx.xxx.xxx.14 scope global qg-e0568127-66
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fe39:d4dd/64 scope link 
       valid_lft forever preferred_lft forever

Result of ip netns exec qrouter-xxx route -n:

Kernel IP routing table
Destination          Gateway         Genmask     Flags Metric   Ref     Use    Iface
0.0.0.0             xxx.xxx.xxx.1     0.0.0.0         UG    0           0        0     qg-e0568127-66
xxx.xxx.xxx.0       0.0.0.0         255.255.255.0   U     0           0        0     qg-e0568127-66
192.168.100.0      0.0.0.0         255.255.255.0   U     0          0        0     qr-8518aa2a-53

Result of ip netns exec qrouter-xxx iptables -nvL:

Chain INPUT (policy ACCEPT 118 packets, 12089 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  118 12089 neutron-l3-agent-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 4 packets, 288 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    4   288 neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    4   288 neutron-l3-agent-FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 488 packets, 34282 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  488 34282 neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  488 34282 neutron-l3-agent-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-filter-top (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  492 34570 neutron-l3-agent-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-l3-agent-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            127.0.0.1            tcp dpt:9697

Chain neutron-l3-agent-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-local (1 references)
 pkts bytes target     prot opt in     out     source               destination

[EDIT]

ifconfig em1 network:

em1       Link encap:Ethernet  HWaddr 44:37:e6:89:ee:04  
          inet6 addr: fe80::4637:e6ff:fe89:ee04/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:541456 errors:0 dropped:0 overruns:0 frame:0
          TX packets:147892 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:78120346 (78.1 MB)  TX bytes:33963191 (33.9 MB)
          Interrupt:20 Memory:fe500000-fe520000

ifconfig em1 compute:

em1       Link encap:Ethernet  HWaddr 44:37:e6:89:ed:f3  
          inet6 addr: fe80::4637:e6ff:fe89:edf3/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:713233 errors:0 dropped:0 overruns:0 frame:0
          TX packets:348725 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:144110079 (144.1 MB)  TX bytes:88408380 (88.4 MB)
          Interrupt:20 Memory:fe500000-fe520000

route -n on network node:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         xxx.xxx.xxx.1     0.0.0.0         UG    0      0        0 access
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 manage
10.0.1.0        0.0.0.0         255.255.255.0   U     0      0        0 tunnel
xxx.xxx.xxx.0     0.0.0.0         255.255.255.0   U     0      0        0 access