VRRP vip on VM not reachable from other network on DVR setup

Bug #1821357 reported by David Rabel on 2019-03-22
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Undecided
Unassigned

Bug Description

Hi.

We are using OpenStack Queens with DVR and have the following problem:

We have a VRRP setup (OpenSense firewalls) on VMs. The vip is reachable from alle other VMs in the same network, but not from VMs in different networks. Both OpenSense VMs are reachable from the other network.

So, routing in general between the two networks works fine, but we cannot reach the vip from the other network.

Port Security is deactivated.

It does work if the VRRP master VM is on the same compute node as the test VM trying to reach it.

Further investigation shows that when trying to ping the vip, the ICMP message reaches the router interface on the compute node where the VM sending it is located. But a ovs-tcpdump on patch-int port shows that there is no traffic tunneled between the hosts.

So, if the VRRP master with the vip is on the same node as the VM trying to reach it, it receives the ping and answers. If it is on a different node, we can observe an arp request from the router interface only on the node where the VM sending the ping is located. This arp request is unanswered.

It seems to us that this is a bug in Neutron.

Yours
  David

Ryan Tidwell (ryan-tidwell) wrote :

I didn't see if you were using allowed address pairs in this setup, do you have allowed address pairs configured on the 2 VM ports?

Jörg Frede (frede-r) wrote :

There are no allowed address pairs but port security is disabled for the two ports because it is a Firewall that should be able to route any traffic.

Jörg Frede (frede-r) wrote :

If you try to add a allowed address pair to this ports you get.

Port Security must be enabled in order to have allowed address pairs on a port.

Ryan Tidwell (ryan-tidwell) wrote :

That was a poorly worded question about allowed address pairs. I've seen this sort of thing done with allowed address pairs and port security enabled, so that's why I asked. Let's ignore it for now :)

Just to confirm and help debug, when trying to reach the vip through a router it fails (except when on the same compute node)? And in all cases the vip is reachable if not passing through a router? Do you have 1 router with interfaces for both networks, or something more complex?

Jörg Frede (frede-r) wrote :

Yes only one router with interfaces in both networks.
And also yes the VIP is reachable from within the same Network from all VMs but not from other networks on thru the router. Except when the VM with the VIP as Master and the VM that tries to access it are on the same Host.
All 6 Hosts in our Network have a DVR running.

This is a known issue with DVR and we are in the process of fixing it.

Jörg Frede (frede-r) wrote :

OK thanks that sounds very much like our problem.
I see the the last action was 3 months ago.
If we can help you in any way by testing the latest fix proposal let us know.

Bence Romsics (bence-romsics) wrote :

I'm marking this as duplicate of 1774459 then.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers