Troubleshooting Neutron Networking in OpenStack

Updated on May 13, 2025 by Lauren Morley

In this article

Struggling with OpenStack Neutron networking issues? This guide gives you practical steps to identify and resolve common problems like connectivity failures, VLAN misconfigurations, DNS/DHCP issues, and more. Here’s what you’ll find:

  • Quick fixes for basic connectivity issues using tools like ping, traceroute, and tcpdump.
  • Step-by-step troubleshooting for VLAN setups, virtual routers, and Linux bridges.
  • Log file locations and commands to debug Neutron components like DHCP and L3 agents.
  • Security group misconfigurations explained, with easy ways to test and resolve them.
  • Advanced tools like Open vSwitch (OVS) diagnostics and containerized service logs for deeper insights.

We’ll equip you with the tools and commands to keep your OpenStack network running smoothly. Let’s get into it!

Related Video: Troubleshooting Neutron Virtual Networks

Preparing to Troubleshoot

Efficient troubleshooting in OpenStack can save you a lot of time and effort.

Network Testing Tools

Command-line tools are key for diagnosing network issues. For example, the ping command is great for checking basic connectivity. It uses the ICMP protocol and is perfect for initial tests.

If you need to analyze the path that data takes, traceroute is your tool. On Unix-like systems, it uses UDP packets by default, while Windows systems (using tracert) rely on ICMP Echo Request packets.

ToolPrimary UseProtocol
pingBasic connectivityICMP
traceroute/tracertPath analysisUDP/ICMP
tcpdumpPacket analysisAll protocols
neutron CLIService managementAPI

Finding Network Logs

Network logs are a goldmine for identifying problems. Neutron service logs are stored in the /var/log/neutron/ directory on their respective host machines. Each component has its own log file:

ComponentLog Location
DHCP Agent/var/log/neutron/dhcp-agent.log
L3 Agent/var/log/neutron/l3-agent.log
Server/var/log/neutron/server.log
Metadata Agent/var/log/neutron/metadata-agent.log

To troubleshoot effectively, correlate timestamps across these logs to identify patterns or issues.

Network Components

OpenStack networking relies on several key services working together. The neutron-server handles API requests and database access, usually running on controller nodes. Meanwhile, Layer 2 (L2) and Layer 3 (L3) agents manage network segmentation and routing, respectively.

You can check the status of these components with this command:

openstack network agent list

This will show all network agents and their current status. Make sure all agents are active and configured correctly for your chosen network plugin.

Armed with these tools and insights, you’re ready to tackle connection issues in the next section.

Fixing Connection Problems

When OpenStack Neutron encounters network issues, a structured approach can help pinpoint and resolve connectivity problems. This guide walks you through testing connectivity, checking VLAN setups, and addressing DNS/DHCP issues step by step.

Testing Basic Connectivity

Start by using ping to test connectivity at critical network points. This helps narrow down where the issue might be.

Test TargetWhat It RevealsNext Steps If Failed
InternetExternal connectivityCheck if other machines can access the internet.
Physical RouterLocal gateway issuesInspect the router or switch status.
Neutron RouterOpenStack networkingLook into the L3 agent logs.
Other InstancesInternal networkingCheck the virtual switching configuration.

To find the relevant namespace:

ip netns list

To capture ICMP traffic for troubleshooting:

ip netns exec qrouter-62ed467e-abae-4ab4-87f4-13a9937fbd6b tcpdump -qnntpi any icmp

If these tests pass, move on to verifying VLAN configurations.

VLAN and Network Setup

Here are key areas to inspect when dealing with VLAN and network setup issues:

  • Bridge Interface Flow: Use this command to inspect flows on the bridge interface:
    ovs-ofctl dump-flows br-ex
  • L3 Agent Configuration: Check the /etc/neutron/l3_agent.ini file to ensure the external_network_bridge value is not empty.
  • VLAN Ranges: Confirm the tenant network VLAN IDs in /etc/neutron/plugin.ini.

To create a VLAN provider network, you can use these commands:

neutron net-create provider --provider:network_type=vlan --provider:physical_network=phy-eno1 --provider:segmentation_id=120
neutron subnet-create "provider" --allocation-pool start=192.168.120.1,end=192.168.120.253 --disable-dhcp --gateway 192.168.120.254 192.168.120.0/24

Once the VLAN setup is confirmed, focus on DNS and DHCP configurations.

DNS and DHCP Solutions

Problems with DNS or DHCP can prevent instances from being configured correctly. Follow these steps to troubleshoot:

  1. Check the DHCP Agent Status:
    neutron agent-list
  2. Use dhcpdump in the DHCP namespace to monitor DHCP traffic during instance startup.
  3. Set Up DNS Resolution:
    openstack subnet set --dns-nameserver 8.8.8.8 flat-subnet

    Add the following settings to /etc/neutron/dhcp_agent.ini:

    dnsmasq_dns_servers = 8.8.8.8,8.8.4.4
dnsmasq_local_resolv = true

Finally, check for errors in the DHCP logs located at /var/log/neutron/dhcp-agent.log.

sbb-itb-f4461f5

Virtual Network Repairs

Once you’ve tackled basic connection problems, it’s time to focus on the virtual network components to wrap up your troubleshooting process.

Open vSwitch (OVS) Fixes

Open vSwitch

Here are some commands to help pinpoint and resolve OVS issues:

# Get an overview of the database configuration
ovs-vsctl show

# Display OpenFlow table entries
ovs-ofctl dump-flows br-int

# Inspect datapath flows
ovs-dpctl dump-flows

Typical OVS issues and how to address them:

ProblemDiagnostic CommandFix
Missing Portsovs-vsctl list-ports br-intAdd back missing ports using ovs-vsctl add-port
Flow Table Errorsovs-ofctl dump-flows br-intClear and reinitialize flows with ovs-ofctl del-flows
Connectivity Problemsovs-appctl bridge/dumpflows br-intCheck port settings and ensure direct connectivity

Linux Bridge Solutions

Linux bridge problems often arise when the agent appears ‘admin up’ but isn’t functioning. Start by reviewing the configurations:

brctl show br-mgmt
ip address show dev br-mgmt

Double-check the bridge agent settings in /etc/neutron/plugins/ml2/linuxbridge_agent.ini:

[linux_bridge]
physical_interface_mappings = provider:eth1

To confirm VLAN connectivity, use:

ip link show | grep eth1
tcpdump -i eth1 -n vlan

Ensure these configurations are accurate to keep the virtual network running smoothly.

Virtual Router Fixes

Issues with virtual routers can interrupt tenant connectivity. Use the following commands to diagnose and resolve problems:

# List router namespaces and test connectivity
ip netns list | grep qrouter
ip netns exec qrouter-<ID> ping 8.8.8.8

# Check SNAT rules
ip netns exec qrouter-<ID> iptables -t nat -L -n -v

When adjustments are needed, follow these steps:

openstack router show <router_name>
neutron router-port-list <router_id>
neutron router-gateway-clear <router_id>
neutron router-gateway-set <router_id> <external_network_id>

Security Group Problems

Security group misconfigurations can block connectivity. Here’s how to identify and resolve these issues.

Finding Security Group Errors

OpenStack’s default security group settings are intentionally restrictive, which can block connectivity for new instances. To troubleshoot:

# List security groups and their rules
openstack security group list
openstack security group rule list default

# Check instance security group assignments
openstack server show <instance_id>

Some common issues include:

ProblemSymptomHow to Check
Asymmetric RulesOutbound traffic works, inbound fails`iptables-save
Missing ICMP RulesPing requests fail`openstack security group rule list default
Incorrect Port RangeApplication timeouts occur`neutron security-group-rule-list

If these steps don’t solve the problem, check for potential firewall conflicts.

Fixing Firewall Conflicts

Conflicts between Open vSwitch (OVS) and iptables can disrupt security group rules. To troubleshoot:

# Check the firewall driver in use
grep -i firewall_driver /etc/neutron/plugins/ml2/openvswitch_agent.ini

Here are some key differences to keep in mind:

  • OVS blocks INVALID connection states, while iptables may allow them if they match security group rules.
  • Multicast traffic (224.0.0.X) passes through OVS by default but requires explicit rules in iptables.
  • Firewall-as-a-Service (FWaaS) rules can override security group settings.

Testing Security Changes

After adjusting security groups, always test the changes:

# Create a test security group
openstack security group create test_group --description "test group"

# Add test rules
openstack security group rule create test_group \
    --protocol tcp \
    --dst-port 22:22 \
    --remote-ip 0.0.0.0/0

“Security groups are sets of IP filter rules that are applied to all project instances, which define networking access to the instance.” – OpenStack Docs

Follow these steps to confirm everything is working:

  • Check rule propagation: Ensure iptables reflects the new rules.
  • Test connectivity: Verify ICMP traffic passes through.
  • Validate port access: Confirm specific ports, like SSH, are accessible.
  • Confirm bidirectional flow: Ensure traffic flows both ways without issues.

Once testing is complete, clean up the test security group:

# Delete the test security group
openstack security group delete test_group

Finally, verify overall network connectivity to confirm the changes are effective.

OpenMetal Network Solutions

OpenMetal provides integrated tools to simplify network troubleshooting, building on standard Neutron capabilities with improved logging and container-based setups.

OpenMetal Cloud Features

The OpenStack-powered infrastructure from OpenMetal offers tools for handling network issues. By using Kolla Ansible, OpenStack services are deployed in Docker containers, making network management more efficient. All network logs are centralized in /var/log/kolla/<service-name>, allowing for faster problem solving.

For advanced log management, OpenMetal supports integration with the Elasticsearch and Kibana (ELK) stack, offering:

FeatureBenefitImplementation
Log AggregationCentralized view of all network eventsAutomatically collects logs from services
Visual AnalyticsInteractive dashboards for monitoringPowered by Kibana visualizations
Search CapabilitiesQuickly find network issuesFull-text search across logs

Network Management with OpenMetal

OpenMetal enhances troubleshooting by leveraging OpenStack Neutron’s Network-as-a-Service features. It integrates with OpenStack’s tools to improve network diagnostics.

Administrators can use commands like these to investigate network issues:

docker logs neutron_server
less /var/log/kolla/neutron/server.log

This centralized logging system helps pinpoint common problems:

Issue TypeLog LocationKey Indicators
Connection Failuresneutron-server logsError codes, stack traces
DHCP Problemsneutron-dhcp-agent logsIP allocation failures
Router Issuesneutron-l3-agent logsRouting table errors

Additionally, OpenMetal’s integration with Ceph ensures dependable storage networking, while its containerized services allow updates without service interruptions.

Wrapping Up: Troubleshooting Neutron Networking in OpenStack

This section outlines troubleshooting steps and maintenance practices for networking issues, combining established methods with OpenMetal’s advanced solutions. Use this guide to ensure your network stays reliable and efficient!

Quick Reference Guide

Follow these steps to troubleshoot Neutron networking issues effectively:

Issue TypeBasic TestsAdvanced TroubleshootingKey Steps
Basic ConnectivityUse ping to test connectivity between internet, router, and VMsRun tcpdump at critical pointsCheck service status; restart if needed
VLAN SetupPing the gateway IPInspect flow and configurationConfirm VLAN ranges
Namespace IssuesIdentify the network namespaceUse ip netns exec commandsVerify namespace setup
DNS/DHCPCheck the dnsmasq processTest hostname resolutionRestart the DHCP agent
OVS ProblemsConfirm OVS bridgesInspect port connectionsEnsure correct bridge configuration

These steps address common issues, but ongoing maintenance is of course required for long-term network stability.

Network Maintenance Tips

Keep your network in top shape with these practices:

  • Service Monitoring
    • Use automated tools to track OpenStack services.
    • Set up alerts for critical metrics to catch issues early.
    • Early detection helps minimize downtime.
  • Regular Updates
    • Update OpenStack components on a consistent schedule.
    • Keep a centralized log of Neutron changes for easy reference.
  • Automated Diagnostics
    • Use tools like easyOVS and Don for faster troubleshooting.
    • Automate diagnostics to save time and reduce manual effort.
Maintenance TaskFrequencyWhy It Matters
Service Status CheckDailySpot agent issues early
Log AnalysisWeeklyIdentify recurring problems
Configuration BackupMonthlySimplify recovery processes
Security Group AuditQuarterlyAvoid connectivity disruptions

Get Started Today on an OpenStack-Powered Private Cloud

Try It Out

We offer complimentary access for testing our production-ready private cloud infrastructure prior to making a purchase. Choose from short term self-service or up to 30 day proof of concept cloud trials.

Start Free Trial

Buy Now

Heard enough and ready to get started with your new private cloud solution? Create your account and enjoy simple, secure, self-serve ordering through our web-based management portal.

Buy Private Cloud

Get a Quote

Have a complicated configuration or need a detailed cost breakdown to discuss with your team? Let us know your requirements and we’ll be happy to provide a custom quote plus discounts you may qualify for.

Request a Quote

 Read More on the OpenMetal Blog

Multi-Cloud Networking with Kubernetes and OpenStack

Jun 11, 2025

If you’re looking to simplify your multi-cloud strategy, combining Kubernetes with OpenStack is a powerful approach. OpenStack provides the core infrastructure-as-a-service (IaaS), and Kubernetes orchestrates your containerized applications on top of it, giving you a consistent platform everywhere. This guide gives you a straightforward look at how to plan, build, and manage a multi-cloud network using these two technologies.

OpenStack vs Apache CloudStack: A Decision Guide for Migrating off VMware

Jun 08, 2025

Discover an in-depth comparison of Apache CloudStack vs. OpenStack for migrating from VMware. Technical buyers will learn about architectural differences, VMware integration strategies, migration utilities (virt-v2v, MigrateKit, Coriolis), and how OpenMetal’s managed private cloud on OpenStack can accelerate your transition with predictable pricing and SLA-backed support.

Cinder Volume Fails to Attach: Common Causes and Fixes

Jun 06, 2025

Frustrated by a Cinder volume that won’t attach? We’ve got you. This guide breaks down the common causes like incorrect volume states, backend config errors, and network glitches. Learn to troubleshoot and fix these attachment failures with practical CLI commands and preventative tips.

An Introduction to Mistral Workflows in OpenStack

May 28, 2025

Mistral is OpenStack’s workflow automation service that simplifies cloud operations by turning manual tasks into automated workflows. Learn about how it works and how you can get started using it to help boost efficiency and resource management in cloud environments.

Configuring External Networks in OpenStack Neutron

May 22, 2025

Learn how to configure external networks in OpenStack Neutron. This guide walks through creating networks, subnets, routers, and floating IPs. Learn to secure connections, ensure high availability, and tune performance for reliable public access to your cloud.

Comparing OpenStack Monasca and Datadog for Private Cloud Monitoring

May 14, 2025

We’re diving into OpenStack Monasca and Datadog, comparing them as monitoring tools for private cloud environments. Picking one comes down to your organization’s way of working, your team’s skills, and your overall cloud strategy. We’ll get into how they work, benefits and challenges, their ideal use cases, and when you may want to use them together.

The Benefits of OpenStack-Based Hosted Private Cloud for IT MSPs

May 13, 2025

OpenStack-based hosted private clouds offer MSPs an exceptional opportunity to provide their clients with a high-performance, secure, and cost-effective cloud solution. By leveraging the flexibility of OpenStack, MSPs can fine-tune performance, reduce costs, and deliver customized solutions that align with client needs.

When to Use Asynchronous Replication in OpenStack Clouds

May 06, 2025

Explore asynchronous replication in OpenStack clouds for improved application performance, cost savings, and flexible disaster recovery. Learn its benefits, common use cases with Cinder and Swift, conceptual setup, and key considerations like managing RPO and resource usage for a resilient deployment.

Multi-Tenant OpenStack Architecture Basics

Apr 25, 2025

A practical guide into OpenStack multi-tenant environments. Understand the underlying architecture, component interactions (Keystone, Nova, Neutron), configuration steps for secure tenant isolation, resource quota management, and more advanced tips for security and performance tuning.

Troubleshooting Common OpenStack Nova Log Errors

Apr 18, 2025

Nova logs are key for OpenStack troubleshooting and health. Understand common API, compute, network, and login errors. Learn to read logs (timestamps, severity, modules) and use tools like ELK/Monasca. Implement good log management for faster issue resolution and a stable environment.