[Openstack-operators] problem with DVR in Kilo and floating IPs
Daniel Russell
DanielR at hostworks.com.au
Fri Jun 3 00:25:29 UTC 2016
Hi,
We have seen this kind of behaviour and it was because the qrouter had the following rules :
-A neutron-postrouting-bottom -m comment --comment "Perform source NAT on outgoing traffic." -j neutron-l3-agent-snat
-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
-A neutron-l3-agent-float-snat -s <fixed ip>/32 -j SNAT --to-source <floating-ip>
That meant that whenever traffic wasn’t going between instances in the same network (ie. Had to go through the router), it would NAT it to the floating IP even if the other server was in a directly connected network.
To see if this is happening for you, you could try adding a rule in your security groups to allow VM1s floating IP to access VM2 and/or vice versa. You could also do a tcpdump on the router’s interfaces to the networks to see if you are getting some translation issues.
Regards,
Dan.
From: Gustavo Randich [mailto:gustavo.randich at gmail.com]
Sent: Friday, 3 June 2016 7:40 AM
To: openstack-operators at lists.openstack.org; openstack at lists.openstack.org
Subject: [Openstack-operators] problem with DVR in Kilo and floating IPs
Hi,
Using DVR in Kilo, I've the following issue:
- VM1 is in tenant network 1 (fixed IP 10.97.2.4)
- VM2 is in tenant network 2 (fixed IP 10.97.0.4)
- a router connects both networks
- VM1 and VM2 both have floating IPs
- I can ping from VM1 to VM2 using fixed / internal IP
- I cannot SSH from VM1 to VM2 using fixed IP, because of "ssh_exchange_identification: read: Connection reset by peer"
- iperf output between both VMs using fixed IP is strange (see below)
If I remove floating IP in VM2 (target VM), SSH and iperf begin to work OK
The problem is not present with two VM1 in the *same* tenant network and both having floating IPs
Any ideas?
Thanks!
------------
VM1# tracepath 10.97.0.4
1?: [LOCALHOST] pmtu 1500
1: 10.97.2.1 0.322ms
1: 10.97.2.1 0.436ms
2: 10.97.0.4 0.962ms reached
Resume: pmtu 1500 hops 2 back 4
VM1# ping 10.97.0.4
PING 10.97.0.4 (10.97.0.4) 56(84) bytes of data.
64 bytes from 10.97.0.4<http://10.97.0.4>: icmp_seq=1 ttl=61 time=1.23 ms
^C
--- 10.97.0.4 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.231/1.231/1.231/0.000 ms
VM1# ssh 10.97.0.4
ssh_exchange_identification: read: Connection reset by peer
VM1# iperf -c 10.97.0.4
------------------------------------------------------------
Client connecting to 10.97.0.4, TCP port 5001
TCP window size: 85.0 KByte (default)
------------------------------------------------------------
[ 3] local 10.97.2.4 port 47014 connected with 10.97.0.4 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.0 sec 0.00 ▒ ▒▒s 14746824734997131264 Bytes/sec
VM2# # iperf -s
------------------------------------------------------------
Server listening on TCP port 5001
TCP window size: 85.3 KByte (default)
------------------------------------------------------------
[ 4] local 10.97.0.4 port 5001 connected with 10.182.0.58 port 47014
[ ID] Interval Transfer Bandwidth
[ 4] 0.0- 0.0 sec 14.1 KBytes 9.36 Mbits/sec
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20160603/cd8bc6ec/attachment.html>
More information about the OpenStack-operators
mailing list