Hi Chris, >> If I set --router:external=False on the Public net, will that cause Neutron >> to create a purely virtual router based on an instance instead of playing >> games with the hardware NIC?
No. It simply means that routers cannot be attached to the network using the router-gateway-set command. It would not be treated as an ‘external’ or ‘floating IP’ network, so to speak. If you can SSH to instances connected to the public network, as well as the OpenStack dashboard, from the private instances, then MTU should be OK (if you’re using VXLAN). Normally MTU issues manifest themselves as SSH connections that appear to hang during the setup, dropped packets, etc. But I would expect the three-way handshake to be completed in either case. At this point, I recommend performing a tcpdump on the qg-* interface of the router, or the other end of that interface that resides in the external bridge, to see what TCP/UDP traffic looks like as it leaves your instance. Verify that it’s being NAT’d properly as the SNAT address or the floating IP address. Perform the same cap on the physical interface of the server, maybe filtering on the IP you’re trying to reach to reduce the noise. You want to trace the packets as the leave the instance through the various bridges, veths, and lastly the physical interface. James From: Christopher Hull <chrishul...@gmail.com<mailto:chrishul...@gmail.com>> Date: Thursday, March 31, 2016 at 1:09 PM To: Neil Jerram <neil.jer...@metaswitch.com<mailto:neil.jer...@metaswitch.com>> Cc: openstack-operators <openstack-operators@lists.openstack.org<mailto:openstack-operators@lists.openstack.org>> Subject: Re: [Openstack-operators] [neutron] Interesting networking issue - need help If I set --router:external=False on the Public net, will that cause Neutron to create a purely virtual router based on an instance instead of playing games with the hardware NIC? Sure, that will "burn an instance", but it will have the advantage in that it might actually work! :-) -Chris - Christopher T. Hull I am presently seeking a new career opportunity Please see career page http://chrishull.com/career 333 Orchard Ave, Sunnyvale CA. 94085 (415) 385 4865 chrishul...@gmail.com<mailto:chrishul...@gmail.com> http://chrishull.com On Thu, Mar 31, 2016 at 11:05 AM, Christopher Hull <chrishul...@gmail.com<mailto:chrishul...@gmail.com>> wrote: All by IP. Private instances can't get hostnames because they can't get TCP/UDP back from DNS, so all testing is via IP. -Chris - Christopher T. Hull I am presently seeking a new career opportunity Please see career page http://chrishull.com/career 333 Orchard Ave, Sunnyvale CA. 94085 (415) 385 4865<tel:%28415%29%20385%204865> chrishul...@gmail.com<mailto:chrishul...@gmail.com> http://chrishull.com On Thu, Mar 31, 2016 at 10:51 AM, Neil Jerram <neil.jer...@metaswitch.com<mailto:neil.jer...@metaswitch.com>> wrote: On 31/03/16 18:40, Christopher Hull wrote: > Hi all; > Was originally DNS issue, but that was a downstream symptom. > > Instances on Private net can't access internet TCP, but CAN ICMP. ping all. > Details: > 1. Instances on Public net work perfectly. > 2. Instances on Private net can fully access Public net instances, both > virtual and physical boxes. > ssh from Private to Public instance works. > http to OpenStack dashboard (physical box) from Private instance works. > 3. Private instances can ping everything, including the internet. By IP or by hostname? > 4. Private instances can NOT TCP to my ATT gateway. (public net) > HTTP to ATT gateway which has a web interface fails. > Same is true for internet. Ping, but no TCP (UDP?) Again, are these TCP attempts to an IP or to a hostname? Just want to be sure that this isn't still a name resolution issue. Neil > 5. Floating IPs work. I think the Neutron Router is fine. > > Any ideas?? > -Chris > > > > > > > > - Christopher T. Hull > I am presently seeking a new career opportunity Please see career page > http://chrishull.com/career > 333 Orchard Ave, Sunnyvale CA. 94085 > (415) 385 4865<tel:%28415%29%20385%204865> > chrishul...@gmail.com<mailto:chrishul...@gmail.com> > <mailto:chrishul...@gmail.com<mailto:chrishul...@gmail.com>> > http://chrishull.com > >
_______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
