[Openstack-operators] [neutron] Interesting networking issue - need help

James Denton james.denton at rackspace.com
Thu Mar 31 22:47:31 UTC 2016 

Hi Chris,

>> If I set --router:external=False on the Public net, will that cause Neutron to create a purely virtual router based on an instance instead of playing games with the hardware NIC?

No. It simply means that routers cannot be attached to the network using the router-gateway-set command. It would not be treated as an ‘external’ or ‘floating IP’ network, so to speak.

If you can SSH to instances connected to the public network, as well as the OpenStack dashboard, from the private instances, then MTU should be OK (if you’re using VXLAN). Normally MTU issues manifest themselves as SSH connections that appear to hang during the setup, dropped packets, etc. But I would expect the three-way handshake to be completed in either case.

At this point, I recommend performing a tcpdump on the qg-* interface of the router, or the other end of that interface that resides in the external bridge, to see what TCP/UDP traffic looks like as it leaves your instance. Verify that it’s being NAT’d properly as the SNAT address or the floating IP address. Perform the same cap on the physical interface of the server, maybe filtering on the IP you’re trying to reach to reduce the noise. You want to trace the packets as the leave the instance through the various bridges, veths, and lastly the physical interface.

James


From: Christopher Hull <chrishull42 at gmail.com<mailto:chrishull42 at gmail.com>>
Date: Thursday, March 31, 2016 at 1:09 PM
To: Neil Jerram <Neil.Jerram at metaswitch.com<mailto:Neil.Jerram at metaswitch.com>>
Cc: openstack-operators <openstack-operators at lists.openstack.org<mailto:openstack-operators at lists.openstack.org>>
Subject: Re: [Openstack-operators] [neutron] Interesting networking issue - need help

If I set --router:external=False on the Public net, will that cause Neutron to create a purely virtual router based on an instance instead of playing games with the hardware NIC?   Sure, that will "burn an instance", but it will have the advantage in that it might actually work!  :-)

-Chris


- Christopher T. Hull
I am presently seeking a new career opportunity  Please see career page
http://chrishull.com/career
333 Orchard Ave, Sunnyvale CA. 94085
(415) 385 4865
chrishull42 at gmail.com<mailto:chrishull42 at gmail.com>
http://chrishull.com



On Thu, Mar 31, 2016 at 11:05 AM, Christopher Hull <chrishull42 at gmail.com<mailto:chrishull42 at gmail.com>> wrote:
All by IP.   Private instances can't get hostnames because they can't get TCP/UDP back from DNS, so all testing is via IP.

-Chris


- Christopher T. Hull
I am presently seeking a new career opportunity  Please see career page
http://chrishull.com/career
333 Orchard Ave, Sunnyvale CA. 94085
(415) 385 4865<tel:%28415%29%20385%204865>
chrishull42 at gmail.com<mailto:chrishull42 at gmail.com>
http://chrishull.com



On Thu, Mar 31, 2016 at 10:51 AM, Neil Jerram <Neil.Jerram at metaswitch.com<mailto:Neil.Jerram at metaswitch.com>> wrote:
On 31/03/16 18:40, Christopher Hull wrote:
> Hi all;
> Was originally DNS issue, but that was a downstream symptom.
>
> Instances on Private net can't access internet TCP, but CAN ICMP. ping all.
> Details:
> 1. Instances on Public net work perfectly.
> 2. Instances on Private net can fully access Public net instances, both
> virtual and physical boxes.
>     ssh from Private to Public instance works.
>     http to OpenStack dashboard (physical box) from Private instance works.
> 3. Private instances can ping everything, including the internet.

By IP or by hostname?

> 4. Private instances can NOT TCP to my ATT gateway. (public net)
>     HTTP to ATT gateway which has a web interface fails.
>     Same is true for internet.  Ping, but no TCP (UDP?)

Again, are these TCP attempts to an IP or to a hostname?

Just want to be sure that this isn't still a name resolution issue.

        Neil


> 5. Floating IPs work.   I think the Neutron Router is fine.
>
> Any ideas??
> -Chris
>
>
>
>
>
>
>
> - Christopher T. Hull
> I am presently seeking a new career opportunity  Please see career page
> http://chrishull.com/career
> 333 Orchard Ave, Sunnyvale CA. 94085
> (415) 385 4865<tel:%28415%29%20385%204865>
> chrishull42 at gmail.com<mailto:chrishull42 at gmail.com> <mailto:chrishull42 at gmail.com<mailto:chrishull42 at gmail.com>>
> http://chrishull.com
>
>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20160331/3e08ca93/attachment.html>

More information about the OpenStack-operators mailing list