neutron

[OVN] access between Floatings ip and instance with Direct External IP

Bug #1889388 reported by cyrille babon
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
New
Undecided
Unassigned

Bug Description

Hi,

I'm running Ussuri on Ubuntu 18.04 through Kolla-Ansible.
For network I use OVN.

Currently, if I create an instance with Floating IP and another Instance with Direct External IP (same network for floating IP and Direct External IP and same Subnet) :
-Instance with Floating IP can access to internal network and access to external network but can't access to Instance with Direct External IP
-Instance with Direct External IP can access to External network but can't access to Instance with Floating IP through his Floating IP.
-Physical server in "External Network" can access to Instance with Floating IP through his floating IP and can access to Instance with Direct External IP.

Network is VLan Type.

Step-by-Step reproduce :
-Create External and Shared Network (Vlan Type)
-Create Internal Network
-Create Router for Internal Network and use External/Shared Network as gateway
-Create instance in Internal Network
-Add Floating IP to this Instance
-Create instance in External/Shared Network
-Try to ping between 2 instances

Expected output :
-instances can ping each other

Actual output :
-Instances can't ping each other

Version :
-Ussuri Stable
-Host Ubuntu 18.04 and container (kolla-ansible) Ubuntu 18.04
-Kolla-ansible deployment

Slawek Kaplonski (slaweq)
tags: added: ovn
tags: added: l3-dvr-backlog
Revision history for this message
Rodolfo Alonso (rodolfo-alonso-hernandez) wrote :

Hi Cyrille:

One question, are both instances in the same host?

Regards.

Revision history for this message
Brian Haley (brian-haley) wrote :

And just a follow-on to Rodolfo's question - there are security group rules added for icmp and/or ssh, correct? Thanks

Revision history for this message
cyrille babon (cyrille-babon) wrote :

Hi,

1- Try with same and different host, problem is same.
2- Yes security group rules open for ICMP and SSH.

Regards,
Cyrille

Revision history for this message
cyrille babon (cyrille-babon) wrote :

after further investigations, the pings between the 2 work for the first minute after add floating ip (with some losses) and then nothing after.

Revision history for this message
Mohammed Naser (mnaser) wrote :

I think this is an actual issue here, I'm seeing this happening at the moment. The scenario is the following:

- External network with two subnets (Let's say 1.1.1.0/24 and 2.2.2.0/24)
- VM connected directly to 1.1.1.0
- Router gateway connected to external network via 1.1.1.0/24 and private network 192.168.0.0/24
- VM connected directly to 192.168.0.0/24 and floating IP from 2.2.2.0/24
- Both VMs on the same host

ICMP works fine, but anything stateful doesn't work. TCP traffic fails because on the way out it goes through the provider network bridge (aka br-ex), but traffic back flows directly to the bridge.. so the mac addresses are not the same of traffic outbound/inbound...

I'm still looking more but if I migrated systems off to another one (they're not on the same system), everything works..

Revision history for this message
Mohammed Naser (mnaser) wrote :

This is what tcpdumps look like on both sides:

https://paste.opendev.org/show/bxMRYkmcCvkARtYx7KnS/

Revision history for this message
Mohammed Naser (mnaser) wrote :

You'll notice it gets a response from the fa:16:3e:ff:88:8a mac address.. so the odd thing here is

- fa:61:25:a2:5a:71: external network gateway mac (aka 1.1.1.1)
- fa:16:3e:ff:88:8a: virtual router external network interface (aka 1.1.1.X)

so the virtual router is responding directly to the system..

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.