Proxmox Cluster SDN EVPN ping destination unreachable

L

leonidas_o

Member
Apr 17, 2022
68
5
8
Hello,

I've went through the docs: https://pve.proxmox.com/pve-docs/chapter-pvesdn.html#pvesdn_setup_example_evpn
But I can't get to ping VM2 (vnet3, node 2) from within VM1 (vnet3, node 1) on another node. Currently just testing with vnet3 and vmbr2.
I've setup all the evpn settings via Proxmox UI according to the docs, also clicked apply on any changes. I tried with and without SNAT checkbox for my subnet vnet3. The strange thing is, my last try was SNAT checked, but it just updated/ added iptables -t nat -A POSTROUTING ... to node 1 sdn file. Node 2 sdn file is missing that line. Also tried with and without gateway 192.168.0.254 in the nodes /etc/network/interfaces files.
Another difference I spotted while node 1 sdn file has post-up ip route del vrf vrf_evpnzon1 unreachable default metric 4278198272
node 2 sdn file has post-up ip route add vrf vrf_evpnzon1 unreachable default metric 4278198272.
Maybe a bug in Proxmox that it not updates both sdn files properly? This has to do if you select the node as exit node or not, either is gets this "route del ..." OR "route add ..." entry.

For my initial Promox setup, I was using Masquerading (NAT) with iptables. So either the diff between node 1 sdn and node 2sdn file is the culprit or if this is correct that they have to differ like that, then maybe something with my nat based interface files.

Appreciate any help.

UPDATE:
Deleted all settings and started again, went in the same order to create e.g. vnets and subnets (before I created all vnets then afterwards the subnets). Maybe this was causing some issues, don't know how I caused the generation be that wrong. As for now, both /etc/network/interfaces.d/sdn (except the vxlan-local-tunnelip) are identical.

Getting closer, but unfortunately I still the same "Destination Host Unreachable" error.
After configuring evpn, if executing ifreload -a on a Proxmox node, I now get warning: vrf_evpnzon0: post-up cmd 'ip route del vrf vrf_evpnzon0 unreachable default metric 4278198272' failed: returned 2 (RTNETLINK answers: No such process)



Both proxmox hosts are exactly on the same versions:

Code: 
proxmox-ve: 7.2-1 (running kernel: 5.15.74-1-pve)
pve-manager: 7.2-11 (running version: 7.2-11/b76d3178)
pve-kernel-5.15: 7.2-14
pve-kernel-helper: 7.2-14
pve-kernel-5.15.74-1-pve: 5.15.74-1
pve-kernel-5.15.64-1-pve: 5.15.64-1
pve-kernel-5.15.30-2-pve: 5.15.30-3
ceph-fuse: 15.2.16-pve1
corosync: 3.1.5-pve2
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown2: 3.1.0-1+pmx3
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.24-pve1
libproxmox-acme-perl: 1.4.2
libproxmox-backup-qemu0: 1.3.1-1
libpve-access-control: 7.2-4
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.2-4
libpve-guest-common-perl: 4.1-4
libpve-http-server-perl: 4.1-5
libpve-network-perl: 0.7.1
libpve-storage-perl: 7.2-10
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 5.0.0-3
lxcfs: 4.0.12-pve1
novnc-pve: 1.3.0-3
proxmox-backup-client: 2.2.7-1
proxmox-backup-file-restore: 2.2.7-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.5.1
pve-cluster: 7.2-2
pve-container: 4.2-3
pve-docs: 7.2-2
pve-edk2-firmware: 3.20220526-1
pve-firewall: 4.2-6
pve-firmware: 3.5-6
pve-ha-manager: 3.4.0
pve-i18n: 2.7-2
pve-qemu-kvm: 7.0.0-4
pve-xtermjs: 4.16.0-1
qemu-server: 7.2-5
smartmontools: 7.2-pve3
spiceterm: 3.2-2
swtpm: 0.8.0~bpo11+2
vncterm: 1.7-1
zfsutils-linux: 2.1.6-pve1



Node 1 interfaces file
Code: 
auto lo
iface lo inet loopback
iface lo inet6 loopback

auto enp0s31f6
iface enp0s31f6 inet static
  address IPADDRESS
  netmask 255.255.255.192
  gateway IPADDRESS

iface enp0s31f6 inet6 static
  address IPV6ADDRESS
  netmask 64
  gateway IPV6ADDRESS

...

auto vmbr3
iface vmbr3 inet static
        address 10.1.3.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        mtu 1500

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.1.3.0/24' -o enp0s31f6 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.1.3.0/24' -o enp0s31f6 -j MASQUERADE


source /etc/network/interfaces.d/*


Node 2 interfaces file
Code: 
auto lo
iface lo inet loopback
iface lo inet6 loopback

auto enp0s31f6
iface enp0s31f6 inet static
  address IPADDRESS
  netmask 255.255.255.192
  gateway IPADDRESS

iface enp0s31f6 inet6 static
  address IPV6ADDRESS
  netmask 64
  gateway IPV6ADDRESS

...

auto vmbr3
iface vmbr3 inet static
        address 10.1.3.2/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        mtu 1500

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.1.3.0/24' -o enp0s31f6 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.1.3.0/24' -o enp0s31f6 -j MASQUERADE



source /etc/network/interfaces.d/*


Node1 sdn file
Code: 
#version:20

auto vnet0
iface vnet0
        address 10.0.1.1/24
        hwaddress A...
        bridge_ports vxlan_vnet0
        bridge_stp off
        bridge_fd 0
        mtu 1450
        ip-forward on
        arp-accept on
        vrf vrf_evpnzon0

auto vnet1
iface vnet1
        address 10.0.2.1/24
        hwaddress A...
        bridge_ports vxlan_vnet1
        bridge_stp off
        bridge_fd 0
        mtu 1450
        ip-forward on
        arp-accept on
        vrf vrf_evpnzon0

auto vrf_evpnzon0
iface vrf_evpnzon0
        vrf-table auto
        post-up ip route del vrf vrf_evpnzon0 unreachable default metric 4278198272

auto vrfbr_evpnzon0
iface vrfbr_evpnzon0
        bridge-ports vrfvx_evpnzon0
        bridge_stp off
        bridge_fd 0
        mtu 1450
        vrf vrf_evpnzon0

auto vrfvx_evpnzon0
iface vrfvx_evpnzon0
        vxlan-id 10000
        vxlan-local-tunnelip 10.1.3.1
        bridge-learning off
        bridge-arp-nd-suppress on
        mtu 1450

auto vxlan_vnet0
iface vxlan_vnet0
        vxlan-id 11000
        vxlan-local-tunnelip 10.1.3.1
        bridge-learning off
        bridge-arp-nd-suppress on
        mtu 1450

auto vxlan_vnet1
iface vxlan_vnet1
        vxlan-id 12000
        vxlan-local-tunnelip 10.1.3.1
        bridge-learning off
        bridge-arp-nd-suppress on
        mtu 1450



Node 2 sdn file now looks identical except vxlan-local-tunnelip 10.1.3.2.
 
Last edited:
can you share your /etc/pve/sdn/*.cfg ?

hi, snat is only done on exit-nodes when the traffic is going out to real network.

If you have multiple exit-node, you need to use exit-nodes primary option, to force active/backup config, as snat need to have traffic in/out on the same node.

(ans you need to use the snat checkbox on the subnet in sdn config)
 
Last edited:
@spirit the SNAT checkbox currently unchecked. I wonder as I'm having the vmbr3 configured like mentioned above, therefore using nat in my configuration, I actually don't need the SNAT checkbox in here, at least I would guess so. The EVPN example in the docs is using the default bridge configuration as starting point, whereas I'm using Masquerading (NAT) with iptables according to: https://pve.proxmox.com/wiki/Network_Configuration

I hope EVPN isn't only working in bridge networking? I got two dedicated servers here as proxmox nodes, both with a public IP address and only one nic.
Also the error message I get when clicking the apply button on the SDN menu and examining the logs or if manually executing ifreload -a: vrf_evpnzon0 : warning: vrf_evpnzon0: post-up cmd 'ip route del vrf vrf_evpnzon0 unreachable default metric 4278198272' failed: returned 2 (RTNETLINK answers: No such process


My configs:

Code: 
evpn: evpnctl0
    asn 65000
    peers 10.1.3.1,10.1.3.2

subnet: evpnzon0-10.0.1.0-24
    vnet vnet0
    gateway 10.0.1.1
    snat 1

subnet: evpnzon0-10.0.2.0-24
    vnet vnet1
    gateway 10.0.2.1
    snat 1

vnet: vnet0
    zone evpnzon0
    tag 11000

vnet: vnet1
    zone evpnzon0
    tag 12000

evpn: evpnzon0
    controller evpnctl0
    vrf-vxlan 10000
    exitnodes MYNODE2,MYNODE1
    exitnodes-primary MYNODE1
    ipam pve
    mac A...
    mtu 1450

I also tried with/without setting the primary exit node, with/without SNAT. Basically in trial and error mode now but nothing seems to help.
 
Last edited:
Just to be sure, is your problem simply :

"but I can't get to ping VM2 (vnet3, node 2) from within VM1 (vnet3, node 1) on another node." ?


Because this has nothing related to exit-node or snat. (exit-node is only for traffic going out to real network).

With a simple evpn network, you should be able to ping between any vm, on any subnet, on the same zone.

Do you use any kind of firewalling on node ? (manual iptables or proxmox firewall on node ?).
Because vxlan port (udp/4789) && bgp port (tcp/179) need to be open between nodes

can you send result of:

# vtysh -c "sh ip bgp summary"
# vtysh -c "sh ip bgp l2vpn evpn"

on each node ?
 
Trying everything, I now even changed /etc/network/interfaces to

Code: 
auto vmbr3
iface vmbr3 inet static
        address 192.168.0.1/24
        gateway 192.168.0.254
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        mtu 1500

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '192.168.0.0/24' -o enp0s31f6 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '192.168.0.0/24' -o enp0s31f6 -j MASQUERADE
        post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
        post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1

In hope that there is a "hidden"/ magic trick and it suddenly start to work if using exactly the same IPs as in the docs. So don't get confused that there is suddenly "192.168.0.1". I'm simply trying everything to bring that somehow to live.

Basically yes, the problem was: "but I can't get to ping VM2 (vnet3, node 2) from within VM1 (vnet3, node 1) on another node." ?
and is now still the same, but just with: "Can't ping VM2 (vnet1, node2) from within VM1 (vnet0, node1)"
so exactly like in the official EVPN example from the docs. The only difference compared to the docs example, I got two nodes and my interfaces files look a bit different because of nat. Everything else was really copy-paste.

What do you mean with "simple evpn"? The VXLAN setup without the controller? Even if that would work, I would guess EVPN has a better performance than "simple" VXLAN, and in the end I don't want to have to VMs just pinging each other. There will be a couple of VMs interacting.

Yes, Proxmox Firewall is turned on, on both nodes, but I got rules which shouldn't block it + I deactivate it every time I try a new setting (just to be 100% sure). Definitely not the firewall.


NODE1
vtysh -c "sh ip bgp summary"
Code: 
% No BGP neighbors found in VRF default


vtysh -c "sh ip bgp l2vpn evpn"
Code: 
BGP table version is 13, local router ID is 192.168.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
EVPN type-1 prefix: [1]:[EthTag]:[ESI]:[IPlen]:[VTEP-IP]
EVPN type-2 prefix: [2]:[EthTag]:[MAClen]:[MAC]:[IPlen]:[IP]
EVPN type-3 prefix: [3]:[EthTag]:[IPlen]:[OrigIP]
EVPN type-4 prefix: [4]:[ESI]:[IPlen]:[OrigIP]
EVPN type-5 prefix: [5]:[EthTag]:[IPlen]:[IP]

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 192.168.0.1:2
*> [2]:[0]:[48]:[5a:69:be:92:f6:b3]
                    192.168.0.1(MYNODE1)
                                                       32768 i
                    ET:8 RT:65000:11000
*> [2]:[0]:[48]:[5a:69:be:92:f6:b3]:[32]:[10.0.1.100]
                    192.168.0.1(MYNODE1)
                                                       32768 i
                    ET:8 RT:65000:11000 RT:65000:10000 Rmac:3a:37:2a:e3:ef:be
*> [3]:[0]:[32]:[192.168.0.1]
                    192.168.0.1(MYNODE1)
                                                       32768 i
                    ET:8 RT:65000:11000
Route Distinguisher: 192.168.0.1:3
*> [3]:[0]:[32]:[192.168.0.1]
                    192.168.0.1(MYNODE1)
                                                       32768 i
                    ET:8 RT:65000:12000
Route Distinguisher: 192.168.0.1:4
*> [5]:[0]:[0]:[0.0.0.0]
                    192.168.0.1(MYNODE1)
                                                       32768 i
                    ET:8 RT:65000:10000 Rmac:3a:37:2a:e3:ef:be
*> [5]:[0]:[0]:[::] 192.168.0.1(MYNODE1)
                                                       32768 i
                    ET:8 RT:65000:10000 Rmac:3a:37:2a:e3:ef:be

Displayed 6 out of 6 total prefixes



NODE2
vtysh -c "sh ip bgp summary"
Code: 
% No BGP neighbors found in VRF default

vtysh -c "sh ip bgp l2vpn evpn"
Code: 
BGP table version is 2, local router ID is 192.168.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
EVPN type-1 prefix: [1]:[EthTag]:[ESI]:[IPlen]:[VTEP-IP]
EVPN type-2 prefix: [2]:[EthTag]:[MAClen]:[MAC]:[IPlen]:[IP]
EVPN type-3 prefix: [3]:[EthTag]:[IPlen]:[OrigIP]
EVPN type-4 prefix: [4]:[ESI]:[IPlen]:[OrigIP]
EVPN type-5 prefix: [5]:[EthTag]:[IPlen]:[IP]

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 192.168.0.2:2
*> [5]:[0]:[0]:[0.0.0.0]
                    192.168.0.2(MYNODE2)
                                                       32768 i
                    ET:8 RT:65000:10000 Rmac:e6:74:16:81:73:70
*> [5]:[0]:[0]:[::] 192.168.0.2(MYNODE2)
                                                       32768 i
                    ET:8 RT:65000:10000 Rmac:e6:74:16:81:73:70
Route Distinguisher: 192.168.0.2:3
*> [3]:[0]:[32]:[192.168.0.2]
                    192.168.0.2(MYNODE2)
                                                       32768 i
                    ET:8 RT:65000:11000
Route Distinguisher: 192.168.0.2:4
*> [2]:[0]:[48]:[56:25:69:4c:c3:f5]
                    192.168.0.2(MYNODE2)
                                                       32768 i
                    ET:8 RT:65000:12000
*> [2]:[0]:[48]:[56:25:69:4c:c3:f5]:[32]:[10.0.2.100]
                    192.168.0.2(MYNODE2)
                                                       32768 i
                    ET:8 RT:65000:12000 RT:65000:10000 Rmac:e6:74:16:81:73:70
*> [3]:[0]:[32]:[192.168.0.2]
                    192.168.0.2(MYNODE2)
                                                       32768 i
                    ET:8 RT:65000:12000

Displayed 6 out of 6 total prefixes
 
Last edited:
mmm, ok. the bgp sessions are not established between 10.1.3.1 && 10.1.3.2.

why do yo use theses ip (10.1.3.X) for peers, as you seem to need to use NAT to enp0s31f6 to go outside ?

Code: 
auto vmbr3
iface vmbr3 inet static
        address 10.1.3.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        mtu 1500

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.1.3.0/24' -o enp0s31f6 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.1.3.0/24' -o enp0s31f6 -j MASQUERADE


The peer ip addresse need to be able to communicate directly without any nat.
So, you need to use the ip address of enp0s31f6.
 
At the moment I have vmbr0, vmbr1 and vmbr2 in use for my VMs. To not mess around here and stay as closest as possible to the docs, I created vmbr3 with 10.1.3.x (or right now 192.168.0.x). I thought, okay, maybe there is a logic which uses that internal IP to go outside. I mean that's how the other VMs can talk outside too, right.
I also thought already, okay maybe I need the public IPAddress of each node (so the real IP behind enp0s31f6) and I tried that as well.

- I entered them as peers in the EVPN Controller tab in proxmox
- disabled the firewall on datacenter level (enabled on the nodes firewall settings but datacenter disables them all anyway).
- ifreload -a (the apply button in sdn tab is doing it but just to make sure -> still showing vrf_evpnzon0 : warning: vrf_evpnzon0: post-up cmd 'ip route del vrf vrf_evpnzon0 unreachable default metric 4278198272' failed: returned 2 (RTNETLINK answers: No such process )
- rebooted both VMs
- tried to ping each other, but no, same error message, sam behaviour, executing your vtysh commands, looks the same except it contains the public IPs.

This is so frustrating.
Are there any possibilities to troubleshoot that further. Should I see something in proxmox syslog on the node, a connection attempt, anything?


vtysh -c "sh ip bgp l2vpn evpn"
Code: 
BGP table version is 33, local router ID is 88.xx.xx.xx
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
EVPN type-1 prefix: [1]:[EthTag]:[ESI]:[IPlen]:[VTEP-IP]
EVPN type-2 prefix: [2]:[EthTag]:[MAClen]:[MAC]:[IPlen]:[IP]
EVPN type-3 prefix: [3]:[EthTag]:[IPlen]:[OrigIP]
EVPN type-4 prefix: [4]:[ESI]:[IPlen]:[OrigIP]
EVPN type-5 prefix: [5]:[EthTag]:[IPlen]:[IP]

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 88.xx.xx.xx:2
*> [2]:[0]:[48]:[5a:69:be:92:f6:b3]
                    88.xx.xx.xx(MYNODE1)
                                                       32768 i
                    ET:8 RT:65000:11000
*> [2]:[0]:[48]:[5a:69:be:92:f6:b3]:[32]:[10.0.1.100]
                    88.xx.xx.xx(MYNODE1)
                                                       32768 i
                    ET:8 RT:65000:11000 RT:65000:10000 Rmac:3a:37:2a:e3:ef:be
*> [3]:[0]:[32]:[88.xx.xx.xx]
                    88.xx.xx.xx(MYNODE1)
                                                       32768 i
                    ET:8 RT:65000:11000
Route Distinguisher: 88.xx.xx.xx:3
*> [3]:[0]:[32]:[88.xx.xx.xx]
                    88.xx.xx.xx(MYNODE1)
                                                       32768 i
                    ET:8 RT:65000:12000
Route Distinguisher: 88.xx.xx.xx:4
*> [5]:[0]:[0]:[0.0.0.0]
                    88.xx.xx.xx(MYNODE1)
                                                       32768 i
                    ET:8 RT:65000:10000 Rmac:3a:37:2a:e3:ef:be
*> [5]:[0]:[0]:[::] 88.xx.xx.xx(MYNODE1)
                                                       32768 i
                    ET:8 RT:65000:10000 Rmac:3a:37:2a:e3:ef:be

Displayed 6 out of 6 total prefixes

The other node the same but of course just with its public IP (94.xx.xx.xx).
 
Last edited:
I found the following log entries in syslog

Code: 
Nov 20 10:45:36 MYNODE1 kernel: vrfbr_evpnzon0: port 1(vrfvx_evpnzon0) entered disabled state
Nov 20 10:45:36 MYNODE1 kernel: device vrfvx_evpnzon0 left promiscuous mode
Nov 20 10:45:36 MYNODE1 kernel: vrfbr_evpnzon0: port 1(vrfvx_evpnzon0) entered disabled state
Nov 20 10:45:36 MYNODE1 bgpd[3213]: [VCGF0-X62M1][EC 100663301] INTERFACE_STATE: Cannot find IF vrfvx_evpnzon0 in VRF 0
Nov 20 10:45:36 MYNODE1 kernel: vnet0: port 1(vxlan_vnet0) entered disabled state
...
Nov 20 10:45:36 MYNODE1 kernel: device vxlan_vnet0 left promiscuous mode
Nov 20 10:45:36 MYNODE1 kernel: vnet0: port 1(vxlan_vnet0) entered disabled state
Nov 20 10:45:36 MYNODE1 bgpd[3213]: [VCGF0-X62M1][EC 100663301] INTERFACE_STATE: Cannot find IF vxlan_vnet0 in VRF 0
Nov 20 10:45:36 MYNODE1 kernel: vnet1: port 1(vxlan_vnet1) entered disabled state
...
Nov 20 10:45:52 MYNODE1 zebra[3195]: [WPPMZ-G9797] if_zebra_speed_update: vxlan_vnet0 old speed: 0 new speed: 4294967295
Nov 20 10:45:53 MYNODE1 zebra[3195]: [WPPMZ-G9797] if_zebra_speed_update: vxlan_vnet1 old speed: 0 new speed: 4294967295
Nov 20 10:45:53 MYNODE1 zebra[3195]: [WPPMZ-G9797] if_zebra_speed_update: vrfvx_evpnzon0 old speed: 0 new speed: 4294967295
...
Nov 20 10:46:56 MYNODE1 kernel: fwbr401i0: port 2(tap401i0) entered disabled state
Nov 20 10:46:56 MYNODE1 kernel: fwbr401i0: port 1(fwln401i0) entered disabled state
Nov 20 10:46:56 MYNODE1 kernel: vnet0: port 2(fwpr401p0) entered disabled state
Nov 20 10:46:56 MYNODE1 kernel: device fwln401i0 left promiscuous mode
Nov 20 10:46:56 MYNODE1 kernel: fwbr401i0: port 1(fwln401i0) entered disabled state
Nov 20 10:46:56 MYNODE1 bgpd[3213]: [VCGF0-X62M1][EC 100663301] INTERFACE_STATE: Cannot find IF fwln401i0 in VRF 0
Nov 20 10:46:56 MYNODE1 kernel: device fwpr401p0 left promiscuous mode
Nov 20 10:46:56 MYNODE1 kernel: vnet0: port 2(fwpr401p0) entered disabled state
Nov 20 10:46:56 MYNODE1 bgpd[3213]: [VCGF0-X62M1][EC 100663301] INTERFACE_STATE: Cannot find IF fwpr401p0 in VRF 0
Nov 20 10:46:57 MYNODE1 bgpd[3213]: [VCGF0-X62M1][EC 100663301] INTERFACE_STATE: Cannot find IF fwbr401i0 in VRF 0
Nov 20 10:46:57 MYNODE1 bgpd[3213]: [VCGF0-X62M1][EC 100663301] INTERFACE_STATE: Cannot find IF tap401i0 in VRF 0
 
you don't need to create a vmbr3 , you don't need nat, simply use your public ips for peers if yours hosts are only able to communicate directly with public ips.

The result of:

vtysh -c "sh ip bgp summary"

should show somes lines with connected peers ips .


Code: 
evpn: evpnctl0
    asn 65000
    peers 94.xx.xx.xx,88.xx.xx.xx

subnet: evpnzon0-10.0.1.0-24
    vnet vnet0
    gateway 10.0.1.1


subnet: evpnzon0-10.0.2.0-24
    vnet vnet1
    gateway 10.0.2.1


vnet: vnet0
    zone evpnzon0
    tag 11000

vnet: vnet1
    zone evpnzon0
    tag 12000

evpn: evpnzon0
    controller evpnctl0
    vrf-vxlan 10000
    ipam pve
    mac A...
    mtu 1450

This should works out of the box.

Try to telnet between publics ips on bgp port tcp/179. (telnet remoteip 179) to be sure it's open without any firewall blocking.
 
okay, I removed vmbr3 completely as I wasn't using it anyway since switched to the public IPs.


vtysh -c "sh ip bgp summary" on both nodes still shows:
Code: 
% No BGP neighbors found in VRF default


telnet 94.XX.XX.XX 179 seems to work, as it accesses it, after few seconds it gets a connection closed by foreign host. But seems the connection is possible.
Code: 
Trying 94.XX.XX.XX...
Connected to 94.XX.XX.XX.
Escape character is '^]'.
I???????e??    ^?AhHF?FA??EF
     MYNODE2@x    GF?????????Connection closed by foreign host.

To double check that, using nc -vz 94.XX.XX.XX 179
Code: 
static.104.XX.XX.XX.clients.your-server... [94.XX.XX.XX] 179 (bgp) open

So connection looks good to me.
Same behaviour on both nodes, Firewall is enabled but has some rules which shouldn't deny anything here. According to the telnet and nc commands, it seems the firewall is not causing the issues.

Unfortunately it is not working out of the box. Maybe something with frr or frr-pythontools?




And yes, the configs look like:
cat /etc/pve/sdn/*.cfg
Code: 
evpn: evpnctl0
    asn 65000
    peers 88.XX.XX.XX,94.XX.XX.XX

subnet: evpnzon0-10.0.1.0-24
    vnet vnet0
    gateway 10.0.1.1
    snat 1

subnet: evpnzon0-10.0.2.0-24
    vnet vnet1
    gateway 10.0.2.1
    snat 1

vnet: vnet0
    zone evpnzon0
    tag 11000

vnet: vnet1
    zone evpnzon0
    tag 12000

evpn: evpnzon0
    controller evpnctl0
    vrf-vxlan 10000
    exitnodes MYNODE1,MYNODE2
    exitnodes-primary MYNODE1
    ipam pve
    mac AA:...
    mtu 1450
 
Last edited:
For testing purposes, I created vnet2 (VXLAN only without evpn). This works, the VMs can ping each other. If then switching the nic back to vnet0 (EVPN) on the VMs, I again get the host unreachable issue. I don't know, but this must be a bug, It absolutely does not make any sense to me.
 
it's must be related to the bgp session not working, but I really don't known why.

can you send the generated /etc/frr/frr.conf ?

are frr packages coming from proxmox repo ? (dpkg -l|grep frr). it should be 8.2.2-1+pve1

you can enable bgp debug log with:

#vtysh
then "debug bgp neighbor-events" , "exit"

it should be logged in /var/log/frr.log.
 
The frr.conf files on the nodes differ a bit:


Node1Node2
cat /etc/frr/frr.confcat /etc/frr/frr.conf
Code: 
frr version 8.2.2
frr defaults datacenter
hostname MYNODE1
log syslog informational
service integrated-vtysh-config
!
!
vrf vrf_evpnzon0
vni 10000
exit-vrf
!
router bgp 65000
bgp router-id 88.XX.XX.XX
no bgp default ipv4-unicast
coalesce-time 1000
neighbor VTEP peer-group
neighbor VTEP remote-as 65000
neighbor VTEP bfd
neighbor 94.XX.XX.XX peer-group VTEP
!
address-family ipv4 unicast
  import vrf vrf_evpnzon0
exit-address-family
!
address-family ipv6 unicast
  import vrf vrf_evpnzon0
exit-address-family
!
address-family l2vpn evpn
  neighbor VTEP route-map MAP_VTEP_IN in
  neighbor VTEP route-map MAP_VTEP_OUT out
  neighbor VTEP activate
  advertise-all-vni
exit-address-family
exit
!
router bgp 65000 vrf vrf_evpnzon0
bgp router-id 88.XX.XX.XX
!
address-family ipv4 unicast
  redistribute connected
exit-address-family
!
address-family ipv6 unicast
  redistribute connected
exit-address-family
!
address-family l2vpn evpn
  default-originate ipv4
  default-originate ipv6
exit-address-family
exit
!
--------------------------------------------------------
(FROM HERE DIFFERENT)
route-map MAP_VTEP_IN deny 1
match evpn route-type prefix
exit
!
route-map MAP_VTEP_IN permit 2
exit
!
route-map MAP_VTEP_OUT permit 1
exit
!
line vty
Code: 
frr version 8.2.2
frr defaults datacenter
hostname MYNODE2
log syslog informational
service integrated-vtysh-config
!
!
vrf vrf_evpnzon0
vni 10000
exit-vrf
!
router bgp 65000
bgp router-id 94.XX.XX.XX
no bgp default ipv4-unicast
coalesce-time 1000
neighbor VTEP peer-group
neighbor VTEP remote-as 65000
neighbor VTEP bfd
neighbor 88.XX.XX.XX peer-group VTEP
!
address-family ipv4 unicast
  import vrf vrf_evpnzon0
exit-address-family
!
address-family ipv6 unicast
  import vrf vrf_evpnzon0
exit-address-family
!
address-family l2vpn evpn
  neighbor VTEP route-map MAP_VTEP_IN in
  neighbor VTEP route-map MAP_VTEP_OUT out
  neighbor VTEP activate
  advertise-all-vni
exit-address-family
exit
!
router bgp 65000 vrf vrf_evpnzon0
bgp router-id 94.XX.XX.XX
!
address-family ipv4 unicast
  redistribute connected
exit-address-family
!
address-family ipv6 unicast
  redistribute connected
exit-address-family
!
address-family l2vpn evpn
  default-originate ipv4
  default-originate ipv6
exit-address-family
exit
!
--------------------------------------------------------
(FROM HERE DIFFERENT)
route-map MAP_VTEP_IN permit 1
exit
!
route-map MAP_VTEP_OUT permit 1
match evpn vni 10000
match evpn route-type prefix
set metric 200
exit
!
route-map MAP_VTEP_OUT permit 2
exit
!
line vty

See the FROM HERE DIFFERENT marker in table.


dpkg -l|grep frr
Code: 
ii  frr                                  8.2.2-1+pve1                   amd64        FRRouting suite of internet protocols (BGP, OSPF, IS-IS, ...)
ii  frr-pythontools                      8.2.2-1+pve1                   all          FRRouting suite - Python tools


In debug mode, it is not really showing anything useful, I executed even an ifreload -a
tail -f /var/log/frr/frr.log
Code: 
Nov 20 19:25:04 MYNODE1 zebra[32533]: [WPPMZ-G9797] if_zebra_speed_update: tap401i0 old speed: 0 new speed: 10
Nov 20 19:25:05 MYNODE1 zebra[32533]: [WPPMZ-G9797] if_zebra_speed_update: fwbr401i0 old speed: 0 new speed: 10000
Nov 20 19:25:05 MYNODE1 zebra[32533]: [WPPMZ-G9797] if_zebra_speed_update: fwpr401p0 old speed: 0 new speed: 10000
Nov 20 19:25:05 MYNODE1 zebra[32533]: [WPPMZ-G9797] if_zebra_speed_update: fwln401i0 old speed: 0 new speed: 10000
 
Last edited:
Hi, just tested on my side.
Sorry, I think that "sh ip bgp summary" should show peers, but it don't seem than evpn peers are showing in the result.

can you send result of
"show bgp l2vpn evpn summary"



also, if it's working,
"vtysh -c "sh ip bgp l2vpn evpn"

should show at minimum lines with

"
Route Distinguisher: 94.XX.XX.XX
.....
Route Distinguisher: 88.XX.XX.XX
....
"
on both sides. (that mean than evpn routes are exchanged




The difference in frr.config between both node is because you use exit-nodes && exit-nodes primary. (you don't need them for now, you can remove it).
 
okay I removed the exit nodes, at least ifreload -a is not showing the warning (vrf_evpnzon0 : warning: vrf_evpnzon0: post-up cmd 'ip route del vrf vrf_evpnzon0 unreachable default metric 4278198272' failed: returned 2 (RTNETLINK answers: No such process) anymore.


Node 1
vtysh -c "show bgp l2vpn evpn summary"
Code: 
BGP router identifier 88.XX.XX.XX, local AS number 65000 vrf-id 0
BGP table version 0
RIB entries 11, using 2024 bytes of memory
Peers 1, using 723 KiB of memory
Peer groups 1, using 64 bytes of memory

Neighbor        V         AS   MsgRcvd   MsgSent   TblVer  InQ OutQ  Up/Down State/PfxRcd   PfxSnt Desc
94.XX.XX.XX   4      65000         0         0        0    0    0    never       Active        0 N/A


Node 2
vtysh -c "show bgp l2vpn evpn summary"
Code: 
BGP router identifier 94.XX.XX.XX, local AS number 65000 vrf-id 0
BGP table version 0
RIB entries 11, using 2024 bytes of memory
Peers 1, using 723 KiB of memory
Peer groups 1, using 64 bytes of memory

Neighbor        V         AS   MsgRcvd   MsgSent   TblVer  InQ OutQ  Up/Down State/PfxRcd   PfxSnt Desc
88.XX.XX.XX     4      65000         0         0        0    0    0    never       Active        0 N/A

Total number of neighbors 1


And vtysh -c "sh ip bgp l2vpn evpn" is actually still looking the same like I already posted in here. Hm, maybe now Route distinguisher is written on every line, instead just a few when the exit nodes are removed.
Code: 
BGP table version is 9, local router ID is 88.XX.XX.XX
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
EVPN type-1 prefix: [1]:[EthTag]:[ESI]:[IPlen]:[VTEP-IP]
EVPN type-2 prefix: [2]:[EthTag]:[MAClen]:[MAC]:[IPlen]:[IP]
EVPN type-3 prefix: [3]:[EthTag]:[IPlen]:[OrigIP]
EVPN type-4 prefix: [4]:[ESI]:[IPlen]:[OrigIP]
EVPN type-5 prefix: [5]:[EthTag]:[IPlen]:[IP]

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 88.XX.XX.XX:3
*> [3]:[0]:[32]:[88.XX.XX.XX]
                    88.XX.XX.XX(MYNODE1)
                                                       32768 i
                    ET:8 RT:65000:11000
Route Distinguisher: 88.XX.XX.XX:4
*> [3]:[0]:[32]:[88.XX.XX.XX]
                    88.XX.XX.XX(MYNODE1)
                                                       32768 i
                    ET:8 RT:65000:12000
Route Distinguisher: 88.XX.XX.XX:5
*> [3]:[0]:[32]:[88.XX.XX.XX]
                    88.XX.XX.XX(MYNODE1)
                                                       32768 i
                    ET:8 RT:65000:100001
Route Distinguisher: 88.XX.XX.XX:6
*> [3]:[0]:[32]:[88.XX.XX.XX]
                    88.XX.XX.XX(MYNODE1)
                                                       32768 i
                    ET:8 RT:65000:100002
Route Distinguisher: 88.XX.XX.XX:7
*> [3]:[0]:[32]:[88.XX.XX.XX]
                    88.XX.XX.XX(MYNODE1)
                                                       32768 i
                    ET:8 RT:65000:100003

Displayed 5 out of 5 total prefixes


But still, I get the "destination host unreachable" when trying to ping a VM. I've put them in the same vnet (in the docs they say it is even possible to ping from one vnet to another). For me it's not even possible when in the same vnet.
 
vtysh -c "show bgp l2vpn evpn summary"

show that it's not connected to peer, you should have a timer in the "up/down" field instead "never"

Code: 
Neighbor                  V         AS   MsgRcvd   MsgSent   TblVer  InQ OutQ  Up/Down State/PfxRcd   PfxSnt Desc
targetnode(88.x.x.x) 4      65000      8037      8037        0    1    0 [B]06:40:33[/B]            1        1 N/A


Another possiblity:

Can you try to edit frr.conf, et remove the line "neighbor VTEP bfd" et restart frr service (on both nodes)

Bfd is a verification protocol,
and it's running on another ports
udp/3784, udp/3785, udp/4784

it's need to be open too.
 
Removed the line and executed systemctl restart frr.service on both nodes.
Executing vtysh -c "show bgp l2vpn evpn summary" still shows under up/down -> never
Again, double checked it with firewall deactivated.
 
damned, I really don't known.

can you try to enable debug log with

Code: 
log syslog debugging
debug zebra events
debug zebra vxlan
debug bgp zebra
debug bgp neighbor-events
debug bgp updates in
debug bgp updates out
debug bgp zebra

at the begin of your frr.conf, then restart frr

this should be logged in /var/log/frr/frr.log
 
leonidas_o said:
Put the log in here.

https://pastebin.com/pFZPhQPe

a few EVPN is not present for interface and ConnectRetry_timer_expired (Active->Connect). Are there any hardware requirements for evpn, don't any specific latency etc.?
Click to expand...
can you try to edit frr.conf, && replace "frr defaults datacenter" by "frr defaults traditional" ? It should increase the timers .(don't remember exactly the values).

How much latency do you have between your nodes ?

(they are no hardware requierement for evpn. It's really the bgp connection which is not able to connect....I never see this ...)
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back