Open Stack

Sam,

I wrote a blog post about this a while back http://techbackground.blogspot.ie/2013/06/path-mtu-discovery-and-gre.html

Basically the GRE tunnel between the node with the instance and the node with the quantum router is reducing the overall path MTU, and the ICMP error sent back to the sender requesting the packet size to be reduced is being blocked or ignored.

Just today I have been looking at the Linux 3.5 kernel and OVS 1.11.0, and the behaviour seems to have changed - now there is IP fragementation happening between the nodes instead.

Re, Darragh.




>________________________________
> From: Samuel Winchenbach <swinchen at gmail.com>
>To: Darragh O'Reilly <dara2002-openstack at yahoo.com> 
>Cc: "openstack-operators at lists.openstack.org" <openstack-operators at lists.openstack.org> 
>Sent: Tuesday, 1 October 2013, 21:02
>Subject: Re: [Openstack-operators] [Grizzly] Multiple l3-agent hosts, single network.
> 
>
>
>That worked great.   What is going on there?  
>
>
>If I run the VM on the same physical machine as the L3 agent I do not need to set the MTU.
>
>
>Interesting.
>
>
>Sam
>
>
>
>On Tue, Oct 1, 2013 at 11:02 AM, Darragh O'Reilly <dara2002-openstack at yahoo.com> wrote:
>
>Sam,
>>
>>
>>being able to reach http but not https sites sounds like the mtu issue we have seen before. As a quick test try reducing the mtu on the instance:
>>
>>$ sudo ip link set mtu 1400 dev eth0
>>
>>and see if the wget to the https site works.
>>
>>
>>Re, Darragh.
>>
>>
>>
>>>Hello,
>>>
>>>
>>>I have two external network hosts (test1 and test2) both running the l3 agent on the same network (XXX.YYY.0.0/24).  I am using OVS/namespace/gre networking.  When a neutron/quantum router is set to use the l3-agent on test1 everything works fine.  If I set the same router to use the l3-agent on test2 I experience some odd problems:  From within a VM using the router on test2 I can wget files from http sites but not from https sites.  I have noticed that the iptables (not within any namespace) are VERY different for the two servers:
>>>
>>>
>>>Working l3-agent (test1) iptables: http://paste.openstack.org/show/47695/
>>>Non-working l3-agent (test2) iptables: http://paste.openstack.org/show/47696/
>>>
>>>
>>>Notice that the iptables for test1 contain chains for the security groups such as quantum-openvswi-i435b8f52-6.  I do not see anything like this on test2.
>>>
>>>
>>>
>>>
>>>Does anyone have any idea what might be causing this issue?
>>>
>>>
>>>Thanks!
>>>Sam
>>>
>>>
>>>
>>>
>>>_______________________________________________
>>>OpenStack-operators mailing list
>>>OpenStack-operators at lists.openstack.org
>>>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>>
>>>
>>>
>>
>>_______________________________________________
>>OpenStack-operators mailing list
>>OpenStack-operators at lists.openstack.org
>>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20131001/19c17d8c/attachment.html>