← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1821357] [NEW] VRRP vip on VM not reachable from other network on DVR setup

 

Public bug reported:

Hi.

We are using OpenStack Queens with DVR and have the following problem:

We have a VRRP setup (OpenSense firewalls) on VMs. The vip is reachable
from alle other VMs in the same network, but not from VMs in different
networks. Both OpenSense VMs are reachable from the other network.


So, routing in general between the two networks works fine, but we cannot reach the vip from the other network.

Port Security is deactivated.

It does work if the VRRP master VM is on the same compute node as the
test VM trying to reach it.

Further investigation shows that when trying to ping the vip, the ICMP
message reaches the router interface on the compute node where the VM
sending it is located. But a ovs-tcpdump on patch-int port shows that
there is no traffic tunneled between the hosts.

So, if the VRRP master with the vip is on the same node as the VM trying
to reach it, it receives the ping and answers. If it is on a different
node, we can observe an arp request from the router interface only on
the node where the VM sending the ping is located. This arp request is
unanswered.


It seems to us that this is a bug in Neutron.

Yours
  David

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1821357

Title:
  VRRP vip on VM not reachable from other network on DVR setup

Status in neutron:
  New

Bug description:
  Hi.

  We are using OpenStack Queens with DVR and have the following problem:

  We have a VRRP setup (OpenSense firewalls) on VMs. The vip is
  reachable from alle other VMs in the same network, but not from VMs in
  different networks. Both OpenSense VMs are reachable from the other
  network.

  
  So, routing in general between the two networks works fine, but we cannot reach the vip from the other network.

  Port Security is deactivated.

  It does work if the VRRP master VM is on the same compute node as the
  test VM trying to reach it.

  Further investigation shows that when trying to ping the vip, the ICMP
  message reaches the router interface on the compute node where the VM
  sending it is located. But a ovs-tcpdump on patch-int port shows that
  there is no traffic tunneled between the hosts.

  So, if the VRRP master with the vip is on the same node as the VM
  trying to reach it, it receives the ping and answers. If it is on a
  different node, we can observe an arp request from the router
  interface only on the node where the VM sending the ping is located.
  This arp request is unanswered.

  
  It seems to us that this is a bug in Neutron.

  Yours
    David

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1821357/+subscriptions