Public bug reported: Hi.
We are using OpenStack Queens with DVR and have the following problem: We have a VRRP setup (OpenSense firewalls) on VMs. The vip is reachable from alle other VMs in the same network, but not from VMs in different networks. Both OpenSense VMs are reachable from the other network. So, routing in general between the two networks works fine, but we cannot reach the vip from the other network. Port Security is deactivated. It does work if the VRRP master VM is on the same compute node as the test VM trying to reach it. Further investigation shows that when trying to ping the vip, the ICMP message reaches the router interface on the compute node where the VM sending it is located. But a ovs-tcpdump on patch-int port shows that there is no traffic tunneled between the hosts. So, if the VRRP master with the vip is on the same node as the VM trying to reach it, it receives the ping and answers. If it is on a different node, we can observe an arp request from the router interface only on the node where the VM sending the ping is located. This arp request is unanswered. It seems to us that this is a bug in Neutron. Yours David ** Affects: neutron Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1821357 Title: VRRP vip on VM not reachable from other network on DVR setup Status in neutron: New Bug description: Hi. We are using OpenStack Queens with DVR and have the following problem: We have a VRRP setup (OpenSense firewalls) on VMs. The vip is reachable from alle other VMs in the same network, but not from VMs in different networks. Both OpenSense VMs are reachable from the other network. So, routing in general between the two networks works fine, but we cannot reach the vip from the other network. Port Security is deactivated. It does work if the VRRP master VM is on the same compute node as the test VM trying to reach it. Further investigation shows that when trying to ping the vip, the ICMP message reaches the router interface on the compute node where the VM sending it is located. But a ovs-tcpdump on patch-int port shows that there is no traffic tunneled between the hosts. So, if the VRRP master with the vip is on the same node as the VM trying to reach it, it receives the ping and answers. If it is on a different node, we can observe an arp request from the router interface only on the node where the VM sending the ping is located. This arp request is unanswered. It seems to us that this is a bug in Neutron. Yours David To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1821357/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp