Open Stack

On 10/25/2012 10:27 AM, Christian Parpart wrote:
> Hey all,
> 
> we're having quite a few compute nodes with Essex installed and one central
> nova-network gateway.
> 
> We now have a few floating IPs set up to route from the world through the
> gateway to these VMs.
> 
> However, accessing these floating (public) IPs from inside a *tenant's VM*
> results into timeouts,
> but accessing the very same IP from a compute node (hypervisor) hosting those
> VMs actually does work.

Is the floating IP assigned to the VM trying to access itself?  I know there was
a change to fix that (search for hairpin_mode) and pretty sure it was in Essex.

> Now I'm a bit confused, it seems like a routing issue or iptables NAT thing and
> would be really greatful
> if anyone can help me out with a hint. :)

What does tcpdump on the bridge show?  Are the packets going out and coming
back?  If not you need to start looking on other interfaces for it (or use -i
any), and if that doesn't help start looking at the iptables counters for the
rules associated with the instance.

> Is this known to not work or what do you need from me to actually understand my
> issue a bit more?

It should work assuming there is a security group rule allowing it, which is
something else to look at.

-Brian