Hi,
In my SNAT netns instance, traffic is not reaching the internet. Issue is with
ARP.
If i add manual ARP entry for the destination IP in SNAT netns , the traffic
destination reaches the internet(ping works from the VM).
sudo ip netns exec vrouter-171406b2-af22-4505-91d4-706a1b7ab143 arp -s 8.8.8.8
00:00:5e:00:01:00
so what could be the issue?
do i need to enable proxy arp for SNAT?
Thanks
suresh.
----- Original Message -----
From: "users" <users@lists.opencontrail.org>
To: "Édouard Thuleau" <edouard.thul...@gmail.com>
Cc: "Dev" <dev-boun...@lists.opencontrail.org>, "users"
<users@lists.opencontrail.org>
Sent: Saturday, June 17, 2017 5:49:27 PM
Subject: Re: [Users] SNAT Service Instance Creation (Contrail 3.2)
Hi Edouard,
Thanks. I could able to resolve this issue, by setting the "aaa_mode =
no-auth" in analytics api and api server config files.
Now NetNS SNAT instance is created with Left and Right IP.
But traffic is not reachable to internet. SNAT NetNS raises the ARP Request for
the Destination IP, and it didnt get response.
Public Network - 172.24.4.0/24
My VM IP - 192.168.1.3
SNAT public interface - 172.24.4.10
When i trigger the Ping to google from the VM, the veth tcp traces shows the
below logs,
cloud@devstack1:~$ sudo tcpdump -i veth080cdcd4-4
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on veth080cdcd4-4, link-type EN10MB (Ethernet), capture size 262144
bytes
15:42:01.515909 ARP, Request who-has 172.24.4.10 tell 172.24.4.2, length 28
15:42:01.515932 ARP, Reply 172.24.4.10 is-at 02:60:e9:1e:e9:52 (oui Unknown),
length 28
15:42:06.182722 ARP, Request who-has par10s21-in-f206.1e100.net tell
172.24.4.10, length 28
15:42:07.180214 ARP, Request who-has par10s21-in-f206.1e100.net tell
172.24.4.10, length 28
15:42:08.180237 ARP, Request who-has par10s21-in-f206.1e100.net tell
172.24.4.10, length 28
15:42:09.180268 ARP, Request who-has 192.168.1.3 tell 172.24.4.10, length 28
15:42:09.184865 ARP, Request who-has par10s21-in-f206.1e100.net tell
172.24.4.10, length 28
15:42:10.180233 ARP, Request who-has 192.168.1.3 tell 172.24.4.10, length 28
15:42:10.184262 ARP, Request who-has par10s21-in-f206.1e100.net tell
172.24.4.10, length 28
15:42:11.180234 ARP, Request who-has 192.168.1.3 tell 172.24.4.10, length 28
15:42:11.184247 ARP, Request who-has par10s21-in-f206.1e100.net tell
172.24.4.10, length 28
Note: I have setup the Software Virtual Gateway. and I could able to reach
INTERNET via Floating IP Association.
I have attached the logs (SNAT NetNs logs) for reference.
Thanks
suresh.
----- Original Message -----
From: "Édouard Thuleau" <edouard.thul...@gmail.com>
To: "Suresh Kumar S" <sureshkuma...@altencalsoftlabs.com>
Cc: "Dev" <dev-boun...@lists.opencontrail.org>, "users"
<users@lists.opencontrail.org>
Sent: Thursday, June 15, 2017 10:12:36 AM
Subject: Re: [Users] SNAT Service Instance Creation (Contrail 3.2)
Did you enable the authentication on the Analytics API? If not, you
can specify to the svc_monitor it doesn't need authentication to
access the Analytics API with the config flag 'SCHEDULER.aaa_mode' set
to 'no-auth'
Édouard.
On Tue, Jun 13, 2017 at 8:38 AM, Suresh Kumar S
<sureshkuma...@altencalsoftlabs.com> wrote:
> Hi,
>
> This error "06/13/2017 04:27:46 AM [contrail-svc-monitor]: __default__
> [SYS_DEBUG]: SvcMonitorLog: query_uve exception Unable to connect to
> keystone for authentication. Exception HTTPConnectionPool(host='127.0.0.1',
> port=35357): Max retries exceeded with url: /v2.0/tokens (Caused by <class
> 'socket.error'>: [Errno 111] Connection refused)" due to misconfiguration of
> vnc_api_lib.ini .
>
> Now i get, "Opencontrail API returned 401 Unauthorized".
>
> The keystone config is updated in contrail-api.conf,
> contrail-svc-monitor.conf correctly.
>
> What could be the issue?
>
> Thanks
> suresh
>
> ----- Original Message -----
> From: "Suresh Kumar S" <sureshkuma...@altencalsoftlabs.com>
> To: "Suresh Kumar S" <sureshkuma...@altencalsoftlabs.com>
> Cc: "Édouard Thuleau" <edouard.thul...@gmail.com>, "Dev"
> <dev-boun...@lists.opencontrail.org>, "users" <users@lists.opencontrail.org>
> Sent: Tuesday, June 13, 2017 6:35:51 AM
> Subject: Re: [Users] SNAT Service Instance Creation (Contrail 3.2)
>
> Hi,
>
> I just narrow down the issue, but still could not resolve it.
>
> The issue is, SVC Monitor couldnt get the authentication token from with
> contrail API(self._vnc_lib.get_auth_token())).
>
> 06/13/2017 04:27:46 AM [contrail-svc-monitor]: __default__ [SYS_DEBUG]:
> SvcMonitorLog: query_uve exception Unable to connect to keystone for
> authentication. Exception HTTPConnectionPool(host='127.0.0.1', port=35357):
> Max retries exceeded with url: /v2.0/tokens (Caused by <class
> 'socket.error'>: [Errno 111] Connection refused)
>
> Unfortunately, Most of the exceptions are not handled in the svc_monitor code.
>
> Filename:
> svc_monitor/scheduler/vrouter_scheduler.py, query_uve function, Exception
> occurs in this code user_token=self._vnc_lib.get_auth_token()
>
>
> Note : I have disabled the multi_tenancy in API Server.(multi_tenancy = False)
>
> Thanks
> suresh
>
> ----- Original Message -----
> From: "users" <users@lists.opencontrail.org>
> To: "Édouard Thuleau" <edouard.thul...@gmail.com>
> Cc: "Dev" <dev-boun...@lists.opencontrail.org>, "users"
> <users@lists.opencontrail.org>
> Sent: Monday, June 12, 2017 4:37:49 PM
> Subject: Re: [Users] SNAT Service Instance Creation (Contrail 3.2)
>
> Hi,
>
> I have provisioned the vrouter in my setup using
> /usr/share/contrail-utils/provision_vrouter.py script.
>
> 1)
> Yes. I could able to list the virtual-routers from CONTRAIL VNC API output as
> below,
> (http://<CONTRAIL API_HOST IP/NAME>:8082/virtual-routers)
> output:
>
> {"virtual-routers": [{"href":
> "http://xxxxx:8082/virtual-router/a94effc9-3c3b-4b77-b199-2db29f484ff8";,
> "fq_name": ["default-global-system-config", "devstack1"], "uuid":
> "a94effc9-3c3b-4b77-b199-2db29f484ff8"}]}
>
> 2. I could able to see the vrouter process analytics from UVEs API
> (http://<CONTRAIL API
> HOSTIP/NAME>:8081/analytics/uves/vrouter/<VROUTERNAME>*?cfilt=NodeStatus:process_status)
>
>
> http://xxxxxx:8081/analytics/uves/vrouter/devstack1?cfilt=NodeStatus:process_status
>
> {"NodeStatus": {"process_status": [{"instance_id": "0", "module_id":
> "contrail-vrouter-agent", "state": "Functional", "description": null,
> "connection_infos": [{"server_addrs": ["10.0.1.4:5269"], "status": "Up",
> "type": "XMPP", "name": "control-node:10.0.1.4", "description": "OpenSent"},
> {"server_addrs": ["10.0.1.4:53"], "status": "Up", "type": "XMPP", "name":
> "dns-server:10.0.1.4", "description": "OpenSent"}, {"server_addrs":
> ["10.0.1.4:8086"], "status": "Up", "type": "Collector", "name": null,
> "description": "Established"}, {"server_addrs": ["10.0.1.4:5998"], "status":
> "Up", "type": "Discovery", "name": "Collector", "description":
> "SubscribeResponse"}, {"server_addrs": ["10.0.1.4:5998"], "status": "Up",
> "type": "Discovery", "name": "dns-server", "description":
> "SubscribeResponse"}, {"server_addrs": ["10.0.1.4:5998"], "status": "Up",
> "type": "Discovery", "name": "xmpp-server", "description":
> "SubscribeResponse"}]}]}}
>
> I think, this output also looks good.
> Am i missing anything?
>
>
> I suspect, SVC Monitor could not communicate with Analytics UVE API?
> I have attached svc monitor config file for reference.
>
> Thanks
> suresh
>
>
> ----- Original Message -----
> From: "Édouard Thuleau" <edouard.thul...@gmail.com>
> To: "Suresh Kumar S" <sureshkuma...@altencalsoftlabs.com>
> Cc: "Ravindra Rathi" <ravindra_ra...@yahoo.com>, "Dev"
> <dev-boun...@lists.opencontrail.org>, "users" <users@lists.opencontrail.org>
> Sent: Monday, June 12, 2017 3:46:03 PM
> Subject: Re: [Users] SNAT Service Instance Creation (Contrail 3.2)
>
> Hi,
>
> opencontrail-vrouter-netns is not a deamon, just a script run by
> vrouter agents on compute node to setup a Linux namespace that will be
> in charge of the masquerading between private and public networks. As
> Jakub asked, you just need to have that binary available on the
> compute node and executable.
> The svc_monitor log 'SvcMonitorLog: No vrouter available for VM ' you
> mentioned means the svc_monitor service was not able to find any
> available vrouter agent to schedule Linux namespace. The svc_monitor
> lists vrouter from the Contrail VNC API so you have beforehand to
> provision vrouters (look to the script provision_vrouter.py for that).
> You can check which vrouters are provisioned by listing the resource
> collection 'virtual-routers' from the VNC API (http://<CONTRAIL API
> HOST IP/NAME>:8082/virtual-routers). Then the svc_monitor uses the
> analytics UVEs API (http://<CONTRAIL API HOST
> IP/NAME>:8081/analytics/uves/vrouter/<VROUTER
> NAME>*?cfilt=NodeStatus:process_status) to determine if vrouters are
> in correct state before selects them.
>
> Regards,
> Édouard.
>
> On Mon, Jun 12, 2017 at 5:31 AM, Suresh Kumar S via Users
> <users@lists.opencontrail.org> wrote:
>> Hi Ravindra,
>>
>> Thanks. Even i am not running contrail-nodemgr. This is new info to me.
>> Let me try.
>>
>> Thanks
>> suresh.
>>
>>
>> ________________________________
>> From: "Ravindra Rathi" <ravindra_ra...@yahoo.com>
>> To: "Jakub Pavlik" <jpav...@mirantis.com>, "Suresh Kumar S"
>> <sureshkuma...@altencalsoftlabs.com>
>> Cc: "Dev" <dev-boun...@lists.opencontrail.org>, "users"
>> <users@lists.opencontrail.org>
>> Sent: Monday, June 12, 2017 12:01:15 AM
>> Subject: Re: [Users] SNAT Service Instance Creation (Contrail 3.2)
>>
>> Hi Suresh/Jakub,
>> I am also facing same issue.
>> I wonder if this is related to "contrail-nodemgr" not running on compute
>> node ?
>> I mean, that is my read of the situation after going through archives of
>> mailing list.
>> In my case, "contrail-nodemgr" was not running on compute node and I am
>> still not able to make it run successfully. Log file has bunch of "import
>> module" errors.
>>
>> Thanks,
>> Ravindra
>>
>>
>> On Sunday, June 11, 2017 12:55 PM, Jakub Pavlik <jpav...@mirantis.com>
>> wrote:
>>
>>
>> Hi Suresh,
>>
>> 1) please check that all your virtual routers are registered in UI.
>>
>> 2) try on the compute call opencontrail-vrouter-netns if it is executable. I
>> saw similar issue in the past.
>>
>> Jakub
>>
>> On Sun, Jun 11, 2017 at 12:02 PM, Suresh Kumar S via Users
>> <users@lists.opencontrail.org> wrote:
>>
>> Hi,
>>
>> SNAT service instance is not working in my setup. .
>>
>> In my setup (Contrail 3.2, + openstack Mitaka),
>> - VM Creation,associating floating ip is working fine. Able to SSH to VM via
>> floating IP and reaching the INTERNET works fine.
>>
>> Next, i tried to set up the SNAT, Service Instance as mentioned in the link
>> (but used neutron APIs instead of contrail)
>>
>> https://www.juniper.net/ documentation/en_US/contrail3.
>> 2/topics/task/configuration/ snat-vnc.html
>>
>> In the svcmonitor log shows service instance is created. Also I could see
>> the service instance in the introspect of svc-monitor also .
>> SNAT Networks, ports are created. I could able to see in the neutron
>> port-list output.
>> But no network namespaces created in compute node.
>>
>> For further debugging, i see the following error in the svc monitor logs.
>>
>> Also, i see the below error in the svc monitor logs,
>> 06/10/2017 02:33:47 PM [contrail-svc-monitor]: __default__ [SYS_ERR]:
>> SvcMonitorLog: vrouter not found for vm e6d8e241-9e3c-4758-a5a2-
>> bb034fdb4380
>> 06/10/2017 02:33:47 PM [contrail-svc-monitor]: __default__ [SYS_ERR]:
>> SvcMonitorLog: vrouter not found for vm 3668b94a-d19a-4dae-a810-
>> d4b4d45a7a43
>> 06/10/2017 02:33:47 PM [contrail-svc-monitor]: __default__ [SYS_ERR]:
>> SvcMonitorLog: No vrouter available for VM default-domain__demo__snat_
>> 3cade500-9942-4e54-89af- 5c5bd3089645_0fc5210f-bfe9-
>> 4b8f-9487-9567e25d15c6__1
>>
>> Question1:
>> Any pointers from the above logs, for further debugging.?
>>
>> Question2:
>> Do i need to start the contrail-vrouter-netns daemon , as mentioned in the
>> below.
>> https://github.com/Juniper/ contrail-controller/tree/R3.2/
>> src/vnsw/opencontrail-vrouter- netns
>>
>> I have installed vrouter-netns package, and didnt start the
>> "netns-daemon-start" daemon. Is it still applicable?
>> Please confirm.
>>
>> Thanks
>> suresh
>>
>>
>>
>> ______________________________ _________________
>> Users mailing list
>> Users@lists.opencontrail.org
>> http://lists.opencontrail.org/ mailman/listinfo/users_lists.
>> opencontrail.org
>>
>>
>>
>>
>> --
>> Jakub Pavlik
>> +420 602 177 027
>> jpav...@mirantis.com
>> _______________________________________________
>> Users mailing list
>> Users@lists.opencontrail.org
>> http://lists.opencontrail.org/mailman/listinfo/users_lists.opencontrail.org
>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users@lists.opencontrail.org
>> http://lists.opencontrail.org/mailman/listinfo/users_lists.opencontrail.org
>>
> _______________________________________________
> Users mailing list
> Users@lists.opencontrail.org
> http://lists.opencontrail.org/mailman/listinfo/users_lists.opencontrail.org
_______________________________________________
Users mailing list
Users@lists.opencontrail.org
http://lists.opencontrail.org/mailman/listinfo/users_lists.opencontrail.org
_______________________________________________
Users mailing list
Users@lists.opencontrail.org
http://lists.opencontrail.org/mailman/listinfo/users_lists.opencontrail.org
