openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #18524
Re: Strange network behavior
Hi Vish et al.
I still can't make head nor tail of it. ICMP works in both directions fine,
but when I try to ssh out from the VM (even with the dmz_cidr flags) the
SYN gets through un-snatted ok, then my desktop SYN-ACKs back, but the virt
never gets to see it. Instead, the snat layer sends a RST.
I don't want any NAT at all. I just want the virts bridged on to the VLAN.
Is there a way to do that?
Kind regards
-- joe.
On 9 November 2012 19:56, Vishvananda Ishaya <vishvananda@xxxxxxxxx> wrote:
> What is the ip address of your workstation? You may be running into
> something similar to this issue:
>
>
> http://lists.openstack.org/pipermail/openstack-dev/2012-September/001212.html
>
> I suspect either:
>
> a) Traffic not getting snatted when it should. This is usually due to
> overlapping ranges between your internal network and fixed_range
>
> this would be fixed by limiting fixed_range in your config file to just
> the instances range: (fixed_range=10.0.41.0/24 ?)
>
> or
>
> b) Traffic getting snatted when it shouldn't. This is usually because your
> workstation ip is on an ip that is internally routable but not routable
> from the external network of the compute host, so it can't get back to the
> snatted ip
>
> this is fixed by stopping snatting to the workstation by setting dmz_cidr
> to a value that includes your workstation network: (dmz_cidr=10.0.0.0/24?)
>
> Vish
>
> On Nov 9, 2012, at 9:14 AM, Joe Warren-Meeks <joe.warren.meeks@xxxxxxxxx>
> wrote:
>
> Hi all,
>
> I've managed to get Openstack pretty much up and running as I wanted it. I
> do have, however, a rather strange networking issue.
>
> I created the network with
> nova-manage network create --fixed_range_v4=10.0.41.0/24 --num_networks=1
> --bridge=br41 --bridge_interface=eth0 --label=development
> --gateway=10.0.41.1 --dns1=10.0.0.2 --vlan=41 --project_id=XXXXXXX
>
> And i can boot instances fine. I've configured the default security group
> to allow port 22, 80 and ICMP -1 in and I can ping from my work station to
> the virtual instance ok:
>
> joe@kaneda:~$ ping 10.0.41.3
> PING 10.0.41.3 (10.0.41.3) 56(84) bytes of data.
> 64 bytes from 10.0.41.3: icmp_req=1 ttl=63 time=1.18 ms
>
> And i can ping from the virt back too:
> ubuntu@test:~$ ping 10.0.0.240
> PING 10.0.0.240 (10.0.0.240) 56(84) bytes of data.
> 64 bytes from 10.0.0.240: icmp_req=1 ttl=64 time=0.713 ms
>
>
> I can SSH out from the virt to a host in the outside world fine:
> ubuntu@test:~$ ssh joe@XXXXX
> joe@XXXXXX password:
> -bash: fortune: command not found
> joe@dixon:~ $
>
> BUT I can't ssh from the virt to my workstation, nor from my workstation
> to the Virt. Neither does http work.
>
> What I am seeing in Tcpdump is a lot of incorrect cksums. This happens
> with all Tcp connections.
>
> 17:12:38.539784 IP (tos 0x0, ttl 64, id 53611, offset 0, flags [DF], proto
> TCP (6), length 60)
> 10.0.0.240.56791 > 10.0.41.3.22: Flags [S], cksum 0x3e21 (incorrect ->
> 0x6de2), seq 2650163743, win 14600, options [mss 1460,sackOK,TS val
> 28089204 ecr 0,nop,wscale 6], length 0
>
>
> 17:12:38.585279 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP
> (6), length 60)
> 10.0.41.3.22 > 10.0.0.240.56791: Flags [S.], cksum 0x3e21 (incorrect
> -> 0xe5c5), seq 1530502549, ack 3098447117, win 14480, options [mss
> 1460,sackOK,TS val 340493 ecr 28089204,nop,wscale 3], length 0
>
> Anyone come across this before?
>
> -- joe.
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>
>
Follow ups
References