Troubleshooting Neutron Networking in OpenStack

Posted on April 3, 2025 by Lauren Morley

In this article

Struggling with OpenStack Neutron networking issues? This guide gives you practical steps to identify and resolve common problems like connectivity failures, VLAN misconfigurations, DNS/DHCP issues, and more. Here’s what you’ll find:

  • Quick fixes for basic connectivity issues using tools like ping, traceroute, and tcpdump.
  • Step-by-step troubleshooting for VLAN setups, virtual routers, and Linux bridges.
  • Log file locations and commands to debug Neutron components like DHCP and L3 agents.
  • Security group misconfigurations explained, with easy ways to test and resolve them.
  • Advanced tools like Open vSwitch (OVS) diagnostics and containerized service logs for deeper insights.

We’ll equip you with the tools and commands to keep your OpenStack network running smoothly. Let’s get into it!

Related Video: Troubleshooting Neutron Virtual Networks

Preparing to Troubleshoot

Efficient troubleshooting in OpenStack can save you a lot of time and effort.

Network Testing Tools

Command-line tools are key for diagnosing network issues. For example, the ping command is great for checking basic connectivity. It uses the ICMP protocol and is perfect for initial tests.

If you need to analyze the path that data takes, traceroute is your tool. On Unix-like systems, it uses UDP packets by default, while Windows systems (using tracert) rely on ICMP Echo Request packets.

ToolPrimary UseProtocol
pingBasic connectivityICMP
traceroute/tracertPath analysisUDP/ICMP
tcpdumpPacket analysisAll protocols
neutron CLIService managementAPI

Finding Network Logs

Network logs are a goldmine for identifying problems. Neutron service logs are stored in the /var/log/neutron/ directory on their respective host machines. Each component has its own log file:

ComponentLog Location
DHCP Agent/var/log/neutron/dhcp-agent.log
L3 Agent/var/log/neutron/l3-agent.log
Server/var/log/neutron/server.log
Metadata Agent/var/log/neutron/metadata-agent.log

To troubleshoot effectively, correlate timestamps across these logs to identify patterns or issues.

Network Components

OpenStack networking relies on several key services working together. The neutron-server handles API requests and database access, usually running on controller nodes. Meanwhile, Layer 2 (L2) and Layer 3 (L3) agents manage network segmentation and routing, respectively.

You can check the status of these components with this command:

openstack network agent list

This will show all network agents and their current status. Make sure all agents are active and configured correctly for your chosen network plugin.

Armed with these tools and insights, you’re ready to tackle connection issues in the next section.

Fixing Connection Problems

When OpenStack Neutron encounters network issues, a structured approach can help pinpoint and resolve connectivity problems. This guide walks you through testing connectivity, checking VLAN setups, and addressing DNS/DHCP issues step by step.

Testing Basic Connectivity

Start by using ping to test connectivity at critical network points. This helps narrow down where the issue might be.

Test TargetWhat It RevealsNext Steps If Failed
InternetExternal connectivityCheck if other machines can access the internet.
Physical RouterLocal gateway issuesInspect the router or switch status.
Neutron RouterOpenStack networkingLook into the L3 agent logs.
Other InstancesInternal networkingCheck the virtual switching configuration.

To find the relevant namespace:

ip netns list

To capture ICMP traffic for troubleshooting:

ip netns exec qrouter-62ed467e-abae-4ab4-87f4-13a9937fbd6b tcpdump -qnntpi any icmp

If these tests pass, move on to verifying VLAN configurations.

VLAN and Network Setup

Here are key areas to inspect when dealing with VLAN and network setup issues:

  • Bridge Interface Flow: Use this command to inspect flows on the bridge interface:
    ovs-ofctl dump-flows br-ex
  • L3 Agent Configuration: Check the /etc/neutron/l3_agent.ini file to ensure the external_network_bridge value is not empty.
  • VLAN Ranges: Confirm the tenant network VLAN IDs in /etc/neutron/plugin.ini.

To create a VLAN provider network, you can use these commands:

neutron net-create provider --provider:network_type=vlan --provider:physical_network=phy-eno1 --provider:segmentation_id=120
neutron subnet-create "provider" --allocation-pool start=192.168.120.1,end=192.168.120.253 --disable-dhcp --gateway 192.168.120.254 192.168.120.0/24

Once the VLAN setup is confirmed, focus on DNS and DHCP configurations.

DNS and DHCP Solutions

Problems with DNS or DHCP can prevent instances from being configured correctly. Follow these steps to troubleshoot:

  1. Check the DHCP Agent Status:
    neutron agent-list
  2. Use dhcpdump in the DHCP namespace to monitor DHCP traffic during instance startup.
  3. Set Up DNS Resolution:
    openstack subnet set --dns-nameserver 8.8.8.8 flat-subnet

    Add the following settings to /etc/neutron/dhcp_agent.ini:

    dnsmasq_dns_servers = 8.8.8.8,8.8.4.4
dnsmasq_local_resolv = true

Finally, check for errors in the DHCP logs located at /var/log/neutron/dhcp-agent.log.

sbb-itb-f4461f5

Virtual Network Repairs

Once you’ve tackled basic connection problems, it’s time to focus on the virtual network components to wrap up your troubleshooting process.

Open vSwitch (OVS) Fixes

Open vSwitch

Here are some commands to help pinpoint and resolve OVS issues:

# Get an overview of the database configuration
ovs-vsctl show

# Display OpenFlow table entries
ovs-ofctl dump-flows br-int

# Inspect datapath flows
ovs-dpctl dump-flows

Typical OVS issues and how to address them:

ProblemDiagnostic CommandFix
Missing Portsovs-vsctl list-ports br-intAdd back missing ports using ovs-vsctl add-port
Flow Table Errorsovs-ofctl dump-flows br-intClear and reinitialize flows with ovs-ofctl del-flows
Connectivity Problemsovs-appctl bridge/dumpflows br-intCheck port settings and ensure direct connectivity

Linux Bridge Solutions

Linux bridge problems often arise when the agent appears ‘admin up’ but isn’t functioning. Start by reviewing the configurations:

brctl show br-mgmt
ip address show dev br-mgmt

Double-check the bridge agent settings in /etc/neutron/plugins/ml2/linuxbridge_agent.ini:

[linux_bridge]
physical_interface_mappings = provider:eth1

To confirm VLAN connectivity, use:

ip link show | grep eth1
tcpdump -i eth1 -n vlan

Ensure these configurations are accurate to keep the virtual network running smoothly.

Virtual Router Fixes

Issues with virtual routers can interrupt tenant connectivity. Use the following commands to diagnose and resolve problems:

# List router namespaces and test connectivity
ip netns list | grep qrouter
ip netns exec qrouter-<ID> ping 8.8.8.8

# Check SNAT rules
ip netns exec qrouter-<ID> iptables -t nat -L -n -v

When adjustments are needed, follow these steps:

openstack router show <router_name>
neutron router-port-list <router_id>
neutron router-gateway-clear <router_id>
neutron router-gateway-set <router_id> <external_network_id>

Security Group Problems

Security group misconfigurations can block connectivity. Here’s how to identify and resolve these issues.

Finding Security Group Errors

OpenStack’s default security group settings are intentionally restrictive, which can block connectivity for new instances. To troubleshoot:

# List security groups and their rules
openstack security group list
openstack security group rule list default

# Check instance security group assignments
openstack server show <instance_id>

Some common issues include:

ProblemSymptomHow to Check
Asymmetric RulesOutbound traffic works, inbound fails`iptables-save
Missing ICMP RulesPing requests fail`openstack security group rule list default
Incorrect Port RangeApplication timeouts occur`neutron security-group-rule-list

If these steps don’t solve the problem, check for potential firewall conflicts.

Fixing Firewall Conflicts

Conflicts between Open vSwitch (OVS) and iptables can disrupt security group rules. To troubleshoot:

# Check the firewall driver in use
grep -i firewall_driver /etc/neutron/plugins/ml2/openvswitch_agent.ini

Here are some key differences to keep in mind:

  • OVS blocks INVALID connection states, while iptables may allow them if they match security group rules.
  • Multicast traffic (224.0.0.X) passes through OVS by default but requires explicit rules in iptables.
  • Firewall-as-a-Service (FWaaS) rules can override security group settings.

Testing Security Changes

After adjusting security groups, always test the changes:

# Create a test security group
openstack security group create test_group --description "test group"

# Add test rules
openstack security group rule create test_group \
    --protocol tcp \
    --dst-port 22:22 \
    --remote-ip 0.0.0.0/0

“Security groups are sets of IP filter rules that are applied to all project instances, which define networking access to the instance.” – OpenStack Docs

Follow these steps to confirm everything is working:

  • Check rule propagation: Ensure iptables reflects the new rules.
  • Test connectivity: Verify ICMP traffic passes through.
  • Validate port access: Confirm specific ports, like SSH, are accessible.
  • Confirm bidirectional flow: Ensure traffic flows both ways without issues.

Once testing is complete, clean up the test security group:

# Delete the test security group
openstack security group delete test_group

Finally, verify overall network connectivity to confirm the changes are effective.

OpenMetal Network Solutions

OpenMetal provides integrated tools to simplify network troubleshooting, building on standard Neutron capabilities with improved logging and container-based setups.

OpenMetal Cloud Features

The OpenStack-powered infrastructure from OpenMetal offers tools for handling network issues. By using Kolla Ansible, OpenStack services are deployed in Docker containers, making network management more efficient. All network logs are centralized in /var/log/kolla/<service-name>, allowing for faster problem solving.

For advanced log management, OpenMetal supports integration with the Elasticsearch and Kibana (ELK) stack, offering:

FeatureBenefitImplementation
Log AggregationCentralized view of all network eventsAutomatically collects logs from services
Visual AnalyticsInteractive dashboards for monitoringPowered by Kibana visualizations
Search CapabilitiesQuickly find network issuesFull-text search across logs

Network Management with OpenMetal

OpenMetal enhances troubleshooting by leveraging OpenStack Neutron’s Network-as-a-Service features. It integrates with OpenStack’s tools to improve network diagnostics.

Administrators can use commands like these to investigate network issues:

docker logs neutron_server
less /var/log/kolla/neutron/server.log

This centralized logging system helps pinpoint common problems:

Issue TypeLog LocationKey Indicators
Connection Failuresneutron-server logsError codes, stack traces
DHCP Problemsneutron-dhcp-agent logsIP allocation failures
Router Issuesneutron-l3-agent logsRouting table errors

Additionally, OpenMetal’s integration with Ceph ensures dependable storage networking, while its containerized services allow updates without service interruptions.

Wrapping Up: Troubleshooting Neutron Networking in OpenStack

This section outlines troubleshooting steps and maintenance practices for networking issues, combining established methods with OpenMetal’s advanced solutions. Use this guide to ensure your network stays reliable and efficient!

Quick Reference Guide

Follow these steps to troubleshoot Neutron networking issues effectively:

Issue TypeBasic TestsAdvanced TroubleshootingKey Steps
Basic ConnectivityUse ping to test connectivity between internet, router, and VMsRun tcpdump at critical pointsCheck service status; restart if needed
VLAN SetupPing the gateway IPInspect flow and configurationConfirm VLAN ranges
Namespace IssuesIdentify the network namespaceUse ip netns exec commandsVerify namespace setup
DNS/DHCPCheck the dnsmasq processTest hostname resolutionRestart the DHCP agent
OVS ProblemsConfirm OVS bridgesInspect port connectionsEnsure correct bridge configuration

These steps address common issues, but ongoing maintenance is of course required for long-term network stability.

Network Maintenance Tips

Keep your network in top shape with these practices:

  • Service Monitoring
    • Use automated tools to track OpenStack services.
    • Set up alerts for critical metrics to catch issues early.
    • Early detection helps minimize downtime.
  • Regular Updates
    • Update OpenStack components on a consistent schedule.
    • Keep a centralized log of Neutron changes for easy reference.
  • Automated Diagnostics
    • Use tools like easyOVS and Don for faster troubleshooting.
    • Automate diagnostics to save time and reduce manual effort.
Maintenance TaskFrequencyWhy It Matters
Service Status CheckDailySpot agent issues early
Log AnalysisWeeklyIdentify recurring problems
Configuration BackupMonthlySimplify recovery processes
Security Group AuditQuarterlyAvoid connectivity disruptions

Get Started Today on an OpenStack-Powered Private Cloud

Try It Out

We offer complimentary access for testing our production-ready private cloud infrastructure prior to making a purchase. Choose from short term self-service or up to 30 day proof of concept cloud trials.

Start Free Trial

Buy Now

Heard enough and ready to get started with your new private cloud solution? Create your account and enjoy simple, secure, self-serve ordering through our web-based management portal.

Buy Private Cloud

Get a Quote

Have a complicated configuration or need a detailed cost breakdown to discuss with your team? Let us know your requirements and we’ll be happy to provide a custom quote plus discounts you may qualify for.

Request a Quote

 Read More on the OpenMetal Blog

Top 8 Tools for OpenStack Backup Automation

Apr 04, 2025

Automating backups in OpenStack is crucial for managing large-scale deployments efficiently while reducing risks of human error. Here are the 8 top tools that help streamline OpenStack backup processes for consistent data protection and quick recovery.

Troubleshooting Neutron Networking in OpenStack

Apr 03, 2025

Struggling with OpenStack Neutron networking issues? This guide gives you practical steps to identify and resolve common problems like connectivity failures, VLAN misconfigurations, DNS/DHCP issues, and more.

Database Tuning for Private OpenStack Clouds

Mar 19, 2025

Databases are central to OpenStack, storing metadata and managing service states. Optimizing them can reduce response times, lower resource usage, and save costs. Learn how to improve your OpenStack private cloud’s database performance with effective tuning strategies, helpful monitoring tools, and practical scaling methods.

DDoS Protection in OpenStack Private Clouds

Mar 14, 2025

DDoS attacks can cripple your OpenStack private cloud if you don’t have the right protection. Learn how to build a layered defense using OpenStack tools, external services, and proactive monitoring. And discover how OpenMetal offers a secure, cost-effective solution with private hardware, SDN, and fixed pricing, eliminating the unpredictable costs and security risks of public cloud.

How OpenStack Lowers Total Cost of Ownership

Mar 13, 2025

OpenStack can reduce IT costs by up to 60%. We’ve proved this time and time again with our clients! Learn why it’s a smart choice for managing infrastructure and the financial + performance benefits of private cloud.

Navigating the VMware Exit: Why OpenStack is the Smart Alternative for 2025 and Beyond

Mar 12, 2025

Broadcom’s VMware acquisition is disrupting the virtualization landscape, forcing companies to seek alternatives. In a recent webinar, experts from OpenInfra Foundation and OpenMetal explored the impact of this shift and why OpenStack is emerging as a powerful, future-proof solution. This article highlights key takeaways from their discussion.

Use Cases for OpenMetal’s XXL Hosted Private Cloud Hardware

Mar 11, 2025

OpenMetal’s XXL Hosted Private Cloud hardware can handle just about any challenge. Featuring powerful Intel Xeon CPUs, multiple terabytes of memory, and fast NVMe storage, the XXL series is ideal for high-performance computing, big data analytics, machine learning, and more.

Capacity Planning for OpenStack Clouds

Mar 07, 2025

Ensure your OpenStack cloud infrastructure meets business needs while managing costs, resources, and performance. Learn how to monitor key metrics, leverage powerful tools like Ceilometer and Prometheus, and implement best practices for efficient resource allocation.

Workload Migration Steps for OpenStack

Feb 28, 2025

Confidently migrate workloads to OpenStack! This guide details cold, live, and warm migration steps, addressing common misconceptions and ensuring accuracy. Learn planning, preparation, execution, and testing for a smooth transition to OpenStack.

Embracing Open Source Alternatives to VMware: A Journey with Storware and OpenMetal

Feb 26, 2025

The transition to revolutionary technologies is often met with hesitation, especially when it involves steering away from established giants like VMware or major public cloud platforms. Yet, as discussed in the recent Storware/OpenMetal Live Stream, there exists a compelling impetus to explore viable open-source alternatives that not only promise flexibility but are also economically feasible.