Uploaded image for project: 'Red Hat OpenStack Services on OpenShift'
  1. Red Hat OpenStack Services on OpenShift
  2. OSPRH-11667

[BGP][ovn-routing] VM instances cannot connect to provider network IPs

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Undefined Undefined
    • None
    • None
    • ovn-bgp-agent
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • ?
    • ?
    • ?
    • ?
    • None
    • Important

      When BGP is configured with ovn routing, the following flows are added to the EDPM nodes:

       

      [root@compute-uf4kxaep-2 ~]# ovs-ofctl dump-flows br-ex                        
 cookie=0x3e7, duration=92.332s, table=0, n_packets=139, n_bytes=25278, priority=1000,ip,in_port=eth3,nw_dst=192.168.133.0/24 actions=mod_dl_dst:6a:c2:e2:88:9a:4a,output:"patch-bgp-ex-lo"
 cookie=0x3e7, duration=92.320s, table=0, n_packets=0, n_bytes=0, priority=1000,ip,in_port=eth2,nw_dst=192.168.133.0/24 actions=mod_dl_dst:6a:c2:e2:88:9a:4a,output:"patch-bgp-ex-lo"
 cookie=0x0, duration=129527.592s, table=0, n_packets=12209196, n_bytes=1965073065, priority=0 actions=NORMAL                

      This is implemented here:
      https://opendev.org/openstack/ovn-bgp-agent/src/commit/4f8fe6adbfca242c5d4ef7d4d66b9240785f945e/ovn_bgp_agent/drivers/openstack/utils/wire.py#L419

       

       

      The CIDR 192.168.133.0/24 from the previous example corresponds to the provider network's CIDR. Hence, packets whose destination IP matches that CIDR are routed so that they can reach the VM instances running on that compute. And this works well.

       

      However, when we try to ping from one VM instance to another VM's FIP, it doesn't work (it only works for VMs running on the same compute). It seems the packets whose destination IP is another VMs' FIP are not properly routed to the external interfaces due to the previously mentioned flows. Same happens with any other IP from the provider network (it doesn't need to be a VM's FIP).

       

      In thefollowing example, a VM with internal IP 192.168.199.240 tries to ping an IP from the provider network 192.168.133.1, but according to tcpdump the packets are only captured on the tap interface:

       

      [root@compute-uf4kxaep-2 ~]# tcpdump -vnne -i any icmp and host 192.168.133.1
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
08:44:27.003509 tap996ad23c-46 P   ifindex 573 fa:16:3e:45:81:f2 ethertype IPv4 (0x0800), length 104: (tos 0x0, ttl 64, id 33896, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.199.240 > 192.168.133.1: ICMP echo request, id 31267, seq 17, length 64
08:44:28.027489 tap996ad23c-46 P   ifindex 573 fa:16:3e:45:81:f2 ethertype IPv4 (0x0800), length 104: (tos 0x0, ttl 64, id 33898, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.199.240 > 192.168.133.1: ICMP echo request, id 31267, seq 18, length 64
08:44:29.051468 tap996ad23c-46 P   ifindex 573 fa:16:3e:45:81:f2 ethertype IPv4 (0x0800), length 104: (tos 0x0, ttl 64, id 33998, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.199.240 > 192.168.133.1: ICMP echo request, id 31267, seq 19, length 64

       

       

              Unassigned Unassigned
              eolivare Eduardo Olivares Toledo
              rhos-dfg-networking-squad-bgp
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: