[rdo-list] Issue with IPsec ESP packets dropped even if the security-groups and port security are disabled (using openstack-mitaka release on CentO7.2 system)
Chinmaya Dwibedy
ckdwibedy at gmail.com
Tue Jun 28 02:11:57 UTC 2016
Hi All,
I have installed openstack-mitaka release on CentO7.2 system.I have
disabled the security-groups and port security for all the neutron
ports/all VMs using below stated.
ML2 port security is enabled in /etc/neutron/plugins/ml2/ml2_conf.ini:
extension_drivers
= port_security
#!/bin/bash
for port in $(neutron port-list -c id -c port_security_enabled -c fixed_ips
| grep True | cut -d '|' -f2); do
echo "Removing security-groups and port_security for port: $port"
neutron port-update --no-security-groups
--port_security_enabled=False $port
done
echo "Completed"
Thereafter when I send IPsec ESP traffic from One VM1 to another VM2, it is
being received and captured (by tcpdump) by the corresponding tap device
but the same is not being received on Linux bridge (qbrxxx) and qvbxxx (of
VM1). Note that, if I send UDP traffic then I do not find any issue. It is
being carried forwarded to VM2.
The VM1's eth0 interface is connected to a Linux tap device tap2caa3b0e-e3
which is plugged into a Linux bridge, qbr2caa3b0e-e3. There are no iptables
filtering applied when packets passing into or out of the Linux bridge. Can
anyone please suggest what might the issue and its solution? Thank you in
advance for your time and support. Here goes the configurations. Please
feel free to let me know if you need any additional information.
[root at stag48 ~(keystone_admin)]# brctl show
bridge name bridge id STP enabled interfaces
qbr2caa3b0e-e3 8000.1ec72d90a310 no qvb2caa3b0e-e3
tap2caa3b0e-e3
qbr408fa3a3-b4 8000.e6f0e680f28f no qvb408fa3a3-b4
tap408fa3a3-b4
qbr5fa991b5-de 8000.02c32f416df0 no qvb5fa991b5-de
tap5fa991b5-de
qbraf134785-23 8000.46e43737b69f no qvbaf134785-23
tapaf134785-23
qbre698fa07-9c 8000.5ea17f458f55 no qvbe698fa07-9c
tape698fa07-9c
qbrf6756f4d-08 8000.b2f79fe90f20 no qvbf6756f4d-08
tapf6756f4d-08
[root at stag48 ~(keystone_admin)]# iptables -S | grep tap2caa3b0e-e3
[root at stag48 ~(keystone_admin)]#
[root at stag48 ~(keystone_admin)]# neutron security-group-rule-list
+--------------------------------------+----------------+-----------+-----------+---------------+------------------+
| id | security_group | direction |
ethertype | port/protocol | remote |
+--------------------------------------+----------------+-----------+-----------+---------------+------------------+
| 16c2d8c8-a286-4b71-8045-94cd303b5c02 | default | ingress |
IPv4 | 22/tcp | 0.0.0.0/0 (CIDR) |
| 2332057f-8c66-4aa6-8700-561b26a5b906 | default | ingress |
IPv4 | any | default (group) |
| 4798772b-561f-4960-85b2-2453613d527e | default | ingress |
IPv6 | any | default (group) |
| 5142e3b2-d2ff-40c5-87eb-5d646852f2d4 | default | ingress |
IPv4 | icmp | 0.0.0.0/0 (CIDR) |
| 7179fc0a-5533-433a-8cc9-3099eeff5a4b | default | egress |
IPv4 | any | any |
| 7cb2f140-6c97-499a-b5f7-6bcc16f6c9a3 | default | ingress |
IPv6 | any | default (group) |
| 829e7607-463a-4c7a-b162-8357f47924d1 | default | ingress |
IPv4 | 1-65535/udp | 0.0.0.0/0 (CIDR) |
| 9f1b8571-3c46-4f53-ac80-835d2186a3c0 | default | egress |
IPv6 | any | any |
| bd46535b-6311-46f6-9b5c-cda78194ac01 | default | egress |
IPv4 | any | any |
| e1b7ab35-8426-4c07-b5bc-d5760b291520 | default | ingress |
IPv4 | any | default (group) |
| e82da2bf-f2e1-4d33-916b-ecb90b5db857 | default | egress |
IPv6 | any | any |
+--------------------------------------+----------------+-----------+-----------+---------------+------------------+
[root at stag48 ~(keystone_admin)]# nova secgroup-list-rules default
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| | | | | default |
| icmp | -1 | -1 | 0.0.0.0/0 | |
| udp | 1 | 65535 | 0.0.0.0/0 | |
| tcp | 22 | 22 | 0.0.0.0/0 | |
| | | | | default |
+-------------+-----------+---------+-----------+--------------+
[root at stag48 ~(keystone_admin)]#
[root at stag48 ~(keystone_admin)]# nova list
+--------------------------------------+-------------+--------+------------+-------------+-------------------------------------------------------------------------+
| ID | Name | Status | Task State
| Power State |
Networks |
+--------------------------------------+-------------+--------+------------+-------------+-------------------------------------------------------------------------+
| 38207997-25af-4113-bc40-109b2745412c | VM2 | ACTIVE | - |
Running | private1=11.0.151.13, 172.19.208.25; private=10.0.151.50,
172.19.208.15 |
| 302f90eb-2d0a-4a74-8e95-92ac8c7e2b71 | VM1 | ACTIVE | - |
Running | private1=11.0.151.14, 172.19.208.26; private=10.0.151.51,
172.19.208.16 |
+--------------------------------------+-------------+--------+------------+-------------+-------------------------------------------------------------------------+
[root at stag48 ~(keystone_admin)]#
Regards,
Chinmaya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rdoproject.org/pipermail/dev/attachments/20160628/1d6f17f3/attachment.html>
More information about the dev
mailing list