with software simple gateway and default security group ping on floating IP is working only on local compute node
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Juniper Openstack | Status tracked in Trunk | |||||
R3.2 |
Fix Committed
|
High
|
Hari Prasad Killi | |||
R4.0 |
Won't Fix
|
High
|
Nagendra E S | |||
R4.1 |
Fix Committed
|
Undecided
|
Nagendra E S | |||
R5.0 |
Fix Committed
|
Undecided
|
Nagendra E S | |||
Trunk |
Fix Committed
|
Undecided
|
Nagendra E S |
Bug Description
I'm using OpenContrail 3.2.6.0 and Openstack 2.3.1 (Mitaka).
The problem is also reproducing with 3.2.8.0 and Openstack Newton.
I have a default setup with 2 compute nodes, and install a software simple gateway on one compute node. I also have only the default security group and two VMs created in one virtual network. Also have a public network for floating IP. Each VM is distributed on different compute nodes and each VM uses its own floating IP.
I'm able to ping only the IP of the VM that is running on the compute node where the vgw was installed.
The ping of floating IP for the second VM will be discarded on second compute node due to "Flow Action Drop" reason of dropstats command.
One flow is present from that ping between a PC and the VM, but the action of the flow is D(SG) - discard due security group.
We have a work around for this bug. Going in the security group and change the IPV4 Ingress rule - which has "default" set as Address (the default security group)and we change this with 0.0.0.0/0 and the ping starts to work.
tags: | added: vrouter |
tags: |
added: contrail-control removed: vrouter |
Changed in opencontrail: | |
assignee: | nobody → Hari Prasad Killi (haripk) |
Changed in opencontrail: | |
status: | New → Won't Fix |
no longer affects: | opencontrail |
Seems that with default security group rules the normal behavior is that ping to floating IPs will not work. New rules need to be added to enable this (for public subnet) or to change the "default" with 0.0.0.0/0 in default security group IPV4 ingress rule.
So the bug is in fact about FIP's are pinged by default for VMs running on vgw compute node.
Also the security group and FIP will not work correctly on at all on that particular compute node.