[ovn] connectivity to load balancer with FIP from a server connected to a router with external gateway
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| neutron |
New
|
Medium
|
Fernando Royo | ||
Bug Description
Imaging following setup:
Subnet S-A on Network N-A connected to Router R-A which has an external gateway on External Provider Network Public.
Subnet S-B on Network N-B connected to Router R-B which has an external gateway on External Provider Network Public.
Server A with a port on Subnet S-A
Server B with a port on Subnet S-B
Load Balancer LB-A on Subnet S-A load balancing port 22 towards Server A's port 22.
Floating IP FIP-LB-A connected to LB-A.
Consider following scenario:
connecting to Floating IP FIP-LB-A form Server S-B is not possible.
Based on what we investigated, when Router Gateway Port of Router R-A and R-B are placed on different Nodes, connection is possible and everything works fine.
But when they take place on the same Node, connectivity to Load Balancers port is not possible.
Also icmp connectivity (ping) from Server A to the external gateway of Router R-B is also impossible.
Versions:
OVN
-------
ovn-nbctl --version
ovn-nbctl 22.03.2
Open vSwitch Library 2.17.5
DB Schema 6.1.0
Neutron
--------
stable/2023.1 commit 643dbbbf6bbf760
| Changed in neutron: | |
| assignee: | nobody → Fernando Royo (froyoredhat) |
| Changed in neutron: | |
| importance: | Undecided → Medium |
| Fernando Royo (froyoredhat) wrote | #1 |
| alisafari (alisafar1212) wrote | #2 |
I try to reproduce the issue, but the only environment I have available has the following versions:
OVN
-------
ovn-nbctl 22.09
Open vSwitch Library 3.2.2
DB Schema 7.1.0
Neutron
--------
stable/2023.1
Using this commands:
openstack network create net1
openstack network create net2
openstack subnet create --subnet-range 192.168.100.0/24 --network net1 subnet1
openstack subnet create --subnet-range 192.168.200.0/24 --network net2 subnet2
openstack security group create sec1
openstack security group rule create --protocol tcp --dst-port 22 sec1
openstack security group rule create --protocol tcp --dst-port 80 sec1
openstack security group rule create --protocol icmp sec1
curl -k -L https:/
openstack image create "cirros" --file cirros.img --disk-format qcow2 --container-format bare --public
openstack flavor create m1.small --disk 1 --vcpus 1 --ram 256
openstack router create r1
openstack router add subnet r1 subnet1
openstack router create r2
openstack router add subnet r2 subnet2
openstack router set --external-gateway public r2
openstack router set --external-gateway public r1
openstack server create --image cirros --flavor m1.small --security-group sec1 --network=net1 --user-data 80.sh vm1 --wait
openstack server create --image cirros --flavor m1.small --security-group sec1 --network=net2 --user-data 80.sh vm2 --wait
IPVM01=$(openstack port list --server vm1 -f json | grep ip_address | cut -d":" -f2 | sed 's/"//g')
IPVM02=$(openstack port list --server vm2 -f json | grep ip_address | cut -d":" -f2 | sed 's/"//g')
openstack loadbalancer create --name lb1 --vip-subnet-id subnet1 --provider ovn
openstack loadbalancer listener create --name listener1 --protocol TCP --protocol-port 80 lb1
openstack loadbalancer pool create --name pool1 --protocol TCP --listener listener1 --lb-algorithm SOURCE_IP_PORT
openstack loadbalancer member create --name vm1 --address $IPVM01 --protocol-port 80 --subnet-id subnet1 pool1
VIP=$(openstack loadbalancer show lb1 -c vip_address -f value)
PORTID=$(openstack port list --fixed-ip ip-address=$VIP -c ID -f value)
openstack floating ip create --port $PORTID public
Check that cr-lrp for both routers are in the same controller node:
(overcloud) [stack@undercloud-0 ~]$ openstack router show r1 --fit
+------
| Field | Value |
+------
| admin_state_up | UP |
| external_