Comment 14 for bug 1012144

I just hit this issue on my Folsom deployment

OS: Ubuntu 12.04
Nova: 2012.2.3-0ubuntu2.1~cloud0
network_manager: VlanManager (Not running multihost)
libvirt_type: kvm

I tried a ping test and was unable to ping the floating IP of an instance from inside of another instance that also had a floating IP.

When I watched the icmp packets move across the network, I noticed that SNAT'ing was not occurring to the ICMP packet when it got to the network node.

To be specific, I was trying to ping from "atlantis" (fixed=10.40.1.10, 10.20.0.7) to "dc" (fixed=10.40.1.4, floating=10.20.4).

When atlantis sends out the packet, it's "FROM: 10.40.1.10 to: 10.20.0.4"

When it hits the iptables NAT rules on the nova-network node, the packet header becomes: "FROM: 10.40.1.10 to 10.40.1.4". It then reaches the "dc" node, which sends the response directly back to "atlantis" since it's on the same subnet. The return packet doesn't even reach atlantis, though. It reaches br150 on the atlantis's host, but doesn't get to the vnet interface. I'm not sure why the packet was being dropped by the compute host.

Also, I noticed the oddest thing: the ICMP packets don't reach "dc" unless I'm doing a tcpdump on br150 of the nova-network node! I've never seen such a thing.