[rdo-list] Issue with IPsec ESP packets dropped even if the security-groups and port security are disabled (using openstack-mitaka release on CentO7.2 system)

Chinmaya Dwibedy ckdwibedy at gmail.com
Tue Jun 28 02:11:57 UTC 2016


Hi All,


I have installed openstack-mitaka release on CentO7.2 system.I have
disabled the security-groups and port security for all the neutron
ports/all VMs using below stated.

ML2 port security is enabled in /etc/neutron/plugins/ml2/ml2_conf.ini:
extension_drivers
= port_security

 #!/bin/bash

for port in $(neutron port-list -c id -c port_security_enabled -c fixed_ips
| grep True |  cut -d '|' -f2); do

        echo "Removing security-groups and port_security for port: $port"

        neutron port-update --no-security-groups
--port_security_enabled=False $port

done

echo "Completed"


Thereafter when I send IPsec ESP traffic from One VM1 to another VM2, it is
being received and captured (by tcpdump) by the corresponding tap device
but the same is not being received on Linux bridge (qbrxxx) and qvbxxx (of
VM1). Note that, if I send UDP traffic then I do not find any issue. It is
being carried forwarded to VM2.


The VM1's eth0 interface is connected to a Linux tap device tap2caa3b0e-e3
which is plugged into a Linux bridge, qbr2caa3b0e-e3. There are no iptables
filtering applied when packets passing into or out of the Linux bridge. Can
anyone please suggest what might the issue and its solution? Thank you in
advance for your time and support. Here goes the configurations. Please
feel free to let me know if you need any additional information.




[root at stag48 ~(keystone_admin)]# brctl show

bridge name     bridge id               STP enabled     interfaces

qbr2caa3b0e-e3          8000.1ec72d90a310       no              qvb2caa3b0e-e3

                                                        tap2caa3b0e-e3

qbr408fa3a3-b4          8000.e6f0e680f28f       no              qvb408fa3a3-b4

                                                        tap408fa3a3-b4

qbr5fa991b5-de          8000.02c32f416df0       no              qvb5fa991b5-de

                                                        tap5fa991b5-de

qbraf134785-23          8000.46e43737b69f       no              qvbaf134785-23

                                                        tapaf134785-23

qbre698fa07-9c          8000.5ea17f458f55       no              qvbe698fa07-9c

                                                        tape698fa07-9c

qbrf6756f4d-08          8000.b2f79fe90f20       no              qvbf6756f4d-08

                                                        tapf6756f4d-08

[root at stag48 ~(keystone_admin)]# iptables -S | grep tap2caa3b0e-e3

[root at stag48 ~(keystone_admin)]#

[root at stag48 ~(keystone_admin)]# neutron security-group-rule-list

+--------------------------------------+----------------+-----------+-----------+---------------+------------------+

| id                                   | security_group | direction |
ethertype | port/protocol | remote           |

+--------------------------------------+----------------+-----------+-----------+---------------+------------------+

| 16c2d8c8-a286-4b71-8045-94cd303b5c02 | default        | ingress   |
IPv4      | 22/tcp        | 0.0.0.0/0 (CIDR) |

| 2332057f-8c66-4aa6-8700-561b26a5b906 | default        | ingress   |
IPv4      | any           | default (group)  |

| 4798772b-561f-4960-85b2-2453613d527e | default        | ingress   |
IPv6      | any           | default (group)  |

| 5142e3b2-d2ff-40c5-87eb-5d646852f2d4 | default        | ingress   |
IPv4      | icmp          | 0.0.0.0/0 (CIDR) |

| 7179fc0a-5533-433a-8cc9-3099eeff5a4b | default        | egress    |
IPv4      | any           | any              |

| 7cb2f140-6c97-499a-b5f7-6bcc16f6c9a3 | default        | ingress   |
IPv6      | any           | default (group)  |

| 829e7607-463a-4c7a-b162-8357f47924d1 | default        | ingress   |
IPv4      | 1-65535/udp   | 0.0.0.0/0 (CIDR) |

| 9f1b8571-3c46-4f53-ac80-835d2186a3c0 | default        | egress    |
IPv6      | any           | any              |

| bd46535b-6311-46f6-9b5c-cda78194ac01 | default        | egress    |
IPv4      | any           | any              |

| e1b7ab35-8426-4c07-b5bc-d5760b291520 | default        | ingress   |
IPv4      | any           | default (group)  |

| e82da2bf-f2e1-4d33-916b-ecb90b5db857 | default        | egress    |
IPv6      | any           | any              |

+--------------------------------------+----------------+-----------+-----------+---------------+------------------+

[root at stag48 ~(keystone_admin)]# nova secgroup-list-rules default

+-------------+-----------+---------+-----------+--------------+

| IP Protocol | From Port | To Port | IP Range  | Source Group |

+-------------+-----------+---------+-----------+--------------+

|             |           |         |           | default      |

| icmp        | -1        | -1      | 0.0.0.0/0 |              |

| udp         | 1         | 65535   | 0.0.0.0/0 |              |

| tcp         | 22        | 22      | 0.0.0.0/0 |              |

|             |           |         |           | default      |

+-------------+-----------+---------+-----------+--------------+

[root at stag48 ~(keystone_admin)]#





[root at stag48 ~(keystone_admin)]# nova list

+--------------------------------------+-------------+--------+------------+-------------+-------------------------------------------------------------------------+

| ID                                   | Name        | Status | Task State
| Power State |
Networks                                                                |

+--------------------------------------+-------------+--------+------------+-------------+-------------------------------------------------------------------------+

| 38207997-25af-4113-bc40-109b2745412c | VM2  | ACTIVE | -          |
Running     | private1=11.0.151.13, 172.19.208.25; private=10.0.151.50,
172.19.208.15 |

| 302f90eb-2d0a-4a74-8e95-92ac8c7e2b71 | VM1  | ACTIVE | -          |
Running     | private1=11.0.151.14, 172.19.208.26; private=10.0.151.51,
172.19.208.16 |

+--------------------------------------+-------------+--------+------------+-------------+-------------------------------------------------------------------------+

[root at stag48 ~(keystone_admin)]#



Regards,

Chinmaya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rdoproject.org/pipermail/dev/attachments/20160628/1d6f17f3/attachment.html>


More information about the dev mailing list