yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #95753
[Bug 2097610] Re: No connection from outside host to VPNaaS host after upgrading from Ussuri to Victoria/Wallaby
[Expired for neutron because there has been no activity for 60 days.]
** Changed in: neutron
Status: Incomplete => Expired
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2097610
Title:
No connection from outside host to VPNaaS host after upgrading from
Ussuri to Victoria/Wallaby
Status in neutron:
Expired
Bug description:
Here's what I have (the update process to Wallaby is currently underway):
- Neutron controller v.Wallaby
- Neutron net-node1 v.Wallaby
- Neutron net-node2 v.Victoria
- Neutron net-node3 v.Ussuri
There is the following topology (10.5.4.0/24 - IPSec - 192.168.255.0/24):
"""
10.5.4.4 (VPNaaS host) -> 10.5.4.1 (VPNaaS) -> 192.168.255.21 (outside OPNsense/Mikrotik) -> 192.168.255.30 (outside host)
"""
When I move the project router to net-node v.Ussuri then:
i see next rules in namespace, FORWARD chain
"""
iptables -L FORWARD -n
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.255.0/24 10.5.4.0/24 policy match dir in pol ipsec reqid 1 proto 50
ACCEPT all -- 10.5.4.0/24 192.168.255.0/24 policy match dir out pol ipsec reqid 1 proto 50
neutron-filter-top all -- 0.0.0.0/0 0.0.0.0/0
neutron-l3-agent-FORWARD all -- 0.0.0.0/0 0.0.0.0/0
"""
and
- ping from 10.5.4.4 to 192.168.255.30 - OK (0% loss)
- ping from 192.168.255.30 to 10.5.4.1 - OK (0% loss)
- ping from 192.168.255.30 to 10.5.4.4 - OK (0% loss)
When I move the project router to net-node v.Victoria or Wallaby then:
i see next rules in namespace, FORWARD chain
"""
iptables -L FORWARD -n
Chain FORWARD (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- 0.0.0.0/0 0.0.0.0/0
neutron-l3-agent-FORWARD all -- 0.0.0.0/0 0.0.0.0/0
"""
and
- ping from 10.5.4.4 to 192.168.255.30 - OK (0% loss)
- ping from 192.168.255.30 to 10.5.4.1 - OK (0% loss)
- ping from 192.168.255.30 to 10.5.4.4 - not OK (100% loss)
To fix the situation, I need to add the following rule in the project namespace:
"""
iptables -I FORWARD 1 -s 192.168.255.0/24 -d 10.5.4.0/24 -m policy --dir in --pol ipsec -j ACCEPT
iptables -L FORWARD -n --line-numbers
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 192.168.255.0/24 10.5.4.0/24 policy match dir in pol ipsec
2 neutron-filter-top all -- 0.0.0.0/0 0.0.0.0/0
3 neutron-l3-agent-FORWARD all -- 0.0.0.0/0 0.0.0.0/0
"""
then i see that
- ping from 192.168.255.30 to 10.5.4.4 - OK (0% loss)
What could be the problem and how to fix it?
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2097610/+subscriptions
References