[Openstack] Help! Attaching floating IP breaks instance networking

Tom Verdaat tom at server.biz
Mon Aug 24 10:44:56 UTC 2015 

Hi all,

I've been running an OpenStack cluster without problems for a while, using
the Kilo release and Distributed Virtual Routing. The instance networking
broke all of a sudden and I can't figure out why or how to fix it. Any help
would be greatly appreciated!

An instance without a Floating IP works fine and can ping all LAN and
internet IP's . However we need to assign FIP's to most because we need to
be able to access them remotely. Once we add an FIP to an instance things
get weird! An instance with a FIP:

   - can ping all LAN IP's (router, dhcp, snat and other instances)
   - can ping its FIP address
   - can ping its Floating range IP address counterpart (fg-[id] port in
   fip-[id] namespace)
   - cannot ping any remote "public network" IP address like the gateway,
   or any internet IP's

>From within the qrouter-[id] namespace:

   - can ping the router IP address
   - can ping the instance LAN IP address
   - can ping the FIP address
   - can ping the Floating namespace internal IP address counterpart
   (169.254.31.xx assigned to frp-[id] port in fip-[id] namespace)
   - cannot ping the other LAN IP's
   - cannot ping the Floating range IP address counterpart (fg-[id] port in
   fip-[id] namespace). Error message: "connect: Network is unreachable"
   - cannot ping any remote "public network" IP address like the gateway,
   or any internet IP's

>From within the fip-[id] namespace:

   - can ping the FIP address
   - can ping the Floating range IP address counterpart in fip-[id]
   namespace
   - can ping the Floating namespace internal IP address counterpart
   (169.254.31.xx assigned to rfp-[id] port in qrouter-[id] namespace)
   - can ping any remote "public network" IP address like the gateway, or
   any internet IP's
   - running "route" command inside the fip namespace takes a long time,
   indicating there is a routing issue here

>From outside:

   - can ping the Floating range IP address in the fip-[id] namespace
   - cannot ping the actual FIP address

Some background:

   - Using Ubuntu OS, Kilo release and Neutron with Distributed Virtual
   Routing
   - Removing the FIP makes basic routing work again
   - Security rules allow any ICMP, TCP and UDP both ingress and egress.
   - No conflicting ranges (host machines on 10.0.0.0/8, tenant on
   192.168.1.1/24 and Floating IP range is a public range)
   - Tried all the basics like restarting neutron and ovs services,
   rebooting compute nodes and checking for conflicting firewall rules.
   - Detailed network information in this paste:
   http://paste.openstack.org/show/qge7ygLCsa3TEZllP2gY/

Anybody know what is going on here? And how to fix it? Is this a bug?

Many thanks!

Tom
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20150824/787c9e19/attachment.html>

More information about the Openstack mailing list