<div dir="ltr"><p class="MsoNormal"><span style="font-size:12pt;line-height:115%;background-image:initial;background-repeat:initial">Hi All,</span></p><p class="MsoNormal"><span style="font-size:12pt;line-height:115%;background-image:initial;background-repeat:initial"><br></span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%;background-image:initial;background-repeat:initial">I have
installed openstack-</span><span class="">mitaka</span> release on CentO7.2 system.<span style="font-size:12pt;line-height:115%;color:rgb(51,51,51)">I have disabled the
security-groups and port security for all the neutron ports/all VMs using below
stated. </span></p>
<p class="MsoNormal" style="margin-bottom:21pt;line-height:23.65pt;background-image:initial;background-repeat:initial"><span style="font-size:12pt;letter-spacing:0.1pt">ML2 port security is enabled in
/etc/neutron/plugins/ml2/ml2_conf.ini: </span><span style="font-size:12pt;letter-spacing:0.1pt;line-height:23.65pt">extension_drivers = port_security</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%;color:rgb(51,51,51)"> </span><span style="color:rgb(51,51,51);font-size:12pt;line-height:115%">#!/bin/bash</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%;color:rgb(51,51,51)">for port in $(neutron
port-list -c id -c port_security_enabled -c fixed_ips | grep True | cut -d '|' -f2); do</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%;color:rgb(51,51,51)"> echo "Removing security-groups and
port_security for port: $port"</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%;color:rgb(51,51,51)"> neutron port-update --no-security-groups
--port_security_enabled=False $port</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%;color:rgb(51,51,51)">done</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%;color:rgb(51,51,51)">echo
"Completed"</span></p><p class="MsoNormal"><span style="font-size:12pt;line-height:115%;color:rgb(51,51,51)"><br></span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%;color:rgb(51,51,51)">Thereafter when I send
IPsec ESP traffic from One VM1 to another VM2, it is being received and
captured (by tcpdump) by the corresponding tap device but the same is not being
received on Linux bridge (qbrxxx) and qvbxxx (of VM1). Note that, if I send UDP
traffic then I do not find any issue. It is being carried forwarded to VM2.</span></p><p class="MsoNormal"><span style="font-size:12pt;line-height:115%;color:rgb(51,51,51)"><br></span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%;color:rgb(51,51,51)">The VM1's eth0 interface
is connected to a Linux tap device tap2caa3b0e-e3 which is plugged into a Linux
bridge, qbr2caa3b0e-e3. There are no iptables filtering applied when packets
passing into or out of the Linux bridge. Can anyone please suggest what might
the issue and its solution? Thank you in advance for your time and support. Here goes the configurations. Please feel free to let me know if you need any additional information.</span></p><p class="MsoNormal"><span style="font-size:12pt;line-height:115%;color:rgb(51,51,51)"><br></span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%;color:rgb(51,51,51)"> </span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%;color:rgb(51,51,51)">[root@stag48
~(keystone_admin)]# brctl show</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%;color:rgb(51,51,51)">bridge name bridge id STP enabled interfaces</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%;color:rgb(51,51,51)">qbr2caa3b0e-e3 8000.1ec72d90a310 no qvb2caa3b0e-e3</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%;color:rgb(51,51,51)">
tap2caa3b0e-e3</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%;color:rgb(51,51,51)">qbr408fa3a3-b4 8000.e6f0e680f28f no qvb408fa3a3-b4</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%;color:rgb(51,51,51)">
tap408fa3a3-b4</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%;color:rgb(51,51,51)">qbr5fa991b5-de 8000.02c32f416df0 no qvb5fa991b5-de</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%;color:rgb(51,51,51)">
tap5fa991b5-de</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%;color:rgb(51,51,51)">qbraf134785-23 8000.46e43737b69f no qvbaf134785-23</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%;color:rgb(51,51,51)">
tapaf134785-23</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%;color:rgb(51,51,51)">qbre698fa07-9c 8000.5ea17f458f55 no qvbe698fa07-9c</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%;color:rgb(51,51,51)"> tape698fa07-9c</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%;color:rgb(51,51,51)">qbrf6756f4d-08 8000.b2f79fe90f20 no qvbf6756f4d-08</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%;color:rgb(51,51,51)">
tapf6756f4d-08</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%;color:rgb(51,51,51)">[root@stag48
~(keystone_admin)]# iptables -S | grep tap2caa3b0e-e3</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%;color:rgb(51,51,51)">[root@stag48
~(keystone_admin)]# </span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">[root@stag48 ~(keystone_admin)]# neutron
security-group-rule-list</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">+--------------------------------------+----------------+-----------+-----------+---------------+------------------+</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">| id |
security_group | direction | ethertype | port/protocol | remote |</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">+--------------------------------------+----------------+-----------+-----------+---------------+------------------+</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">| 16c2d8c8-a286-4b71-8045-94cd303b5c02 | default | ingress | IPv4
| 22/tcp | <a href="http://0.0.0.0/0">0.0.0.0/0</a> (CIDR)
|</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">| 2332057f-8c66-4aa6-8700-561b26a5b906 | default | ingress | IPv4
| any | default
(group) |</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">| 4798772b-561f-4960-85b2-2453613d527e | default | ingress | IPv6
| any | default (group) |</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">| 5142e3b2-d2ff-40c5-87eb-5d646852f2d4 | default | ingress | IPv4
| icmp | <a href="http://0.0.0.0/0">0.0.0.0/0</a> (CIDR)
|</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">| 7179fc0a-5533-433a-8cc9-3099eeff5a4b | default | egress | IPv4
| any | any |</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">| 7cb2f140-6c97-499a-b5f7-6bcc16f6c9a3 | default | ingress | IPv6
| any | default
(group) |</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">| 829e7607-463a-4c7a-b162-8357f47924d1 | default | ingress | IPv4
| 1-65535/udp | <a href="http://0.0.0.0/0">0.0.0.0/0</a> (CIDR)
|</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">| 9f1b8571-3c46-4f53-ac80-835d2186a3c0 | default | egress | IPv6
| any | any |</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">| bd46535b-6311-46f6-9b5c-cda78194ac01 | default | egress | IPv4
| any | any |</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">| e1b7ab35-8426-4c07-b5bc-d5760b291520 | default | ingress | IPv4
| any | default
(group) |</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">| e82da2bf-f2e1-4d33-916b-ecb90b5db857 | default | egress | IPv6
| any | any |</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">+--------------------------------------+----------------+-----------+-----------+---------------+------------------+</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">[root@stag48 ~(keystone_admin)]# nova secgroup-list-rules
default</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">+-------------+-----------+---------+-----------+--------------+</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">| IP Protocol | From Port | To Port | IP Range | Source Group |</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">+-------------+-----------+---------+-----------+--------------+</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">| | | | | default |</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">| icmp | -1 | -1 | <a href="http://0.0.0.0/0">0.0.0.0/0</a> | |</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">| udp | 1 | 65535 | <a href="http://0.0.0.0/0">0.0.0.0/0</a> | |</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">| tcp | 22 | 22 | <a href="http://0.0.0.0/0">0.0.0.0/0</a> | |</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">| | | | | default |</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">+-------------+-----------+---------+-----------+--------------+</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">[root@stag48 ~(keystone_admin)]#</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%"> </span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%"> </span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">[root@stag48 ~(keystone_admin)]# nova list</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">+--------------------------------------+-------------+--------+------------+-------------+-------------------------------------------------------------------------+</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">| ID | Name | Status | Task State | Power State |
Networks
|</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">+--------------------------------------+-------------+--------+------------+-------------+-------------------------------------------------------------------------+</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">| 38207997-25af-4113-bc40-109b2745412c | VM2 | ACTIVE | - | Running | private1=11.0.151.13, 172.19.208.25;
private=10.0.151.50, 172.19.208.15 |</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">| 302f90eb-2d0a-4a74-8e95-92ac8c7e2b71 | VM1 | ACTIVE | - | Running | private1=11.0.151.14, 172.19.208.26;
private=10.0.151.51, 172.19.208.16 |</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">+--------------------------------------+-------------+--------+------------+-------------+-------------------------------------------------------------------------+</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">[root@stag48 ~(keystone_admin)]#</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%"> </span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">Regards,</span></p>
<p class="MsoNormal"><span style="font-size:12pt;line-height:115%">Chinmaya</span></p></div>