<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>Hi Masoom,</div>
<div><br>
</div>
<div>I assume your instance is connected to a tenant network that is attached to a router, and the router is attached to a publicly-accessible network? Are you able to hop into the router via ‘ip netns exec qrouter-xxxxx’ and initiate successful pings to the
outside world? If that doesn’t work, your instance will not be able to get out, either. You may also want to ensure the floating IP is setup correctly within the qrouter namespace. You should see the IP configured as a secondary address on the ‘qg’ interface,
and iptables rules are setup to handle the NAT.</div>
<div><br>
</div>
<div>I would look to resolve connectivity to your instance via the router before working on the VPN. Good luck!</div>
<div><br>
</div>
<div>James</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>masoom alam <<a href="mailto:masoom.alam@gmail.com">masoom.alam@gmail.com</a>><br>
<span style="font-weight:bold">Date: </span>Monday, September 29, 2014 at 4:52 AM<br>
<span style="font-weight:bold">To: </span>"<<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>>" <<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>><br>
<span style="font-weight:bold">Subject: </span>[Openstack] ssh cirros@<floating-ip> not working - what can be the possible reason<br>
</div>
<div><br>
</div>
<div>
<div>
<div dir="ltr">Hi every one,
<div><br>
</div>
<div><b>Context:</b></div>
<div>We are trying to setup a VPN site -to-site connection, but every time it show us down in the status. We have then decided to backtrack and find the problem. </div>
<div><br>
</div>
<div>
<ol>
<li>We cannot <span style="color:rgb(0,0,0);line-height:1.1em;white-space:pre-wrap;background-color:rgb(246,246,246)">ssh</span><span style="color:rgb(0,0,0);line-height:1.1em;white-space:pre-wrap;background-color:rgb(246,246,246)"></span><span style="color:rgb(0,0,0);line-height:1.1em;white-space:pre-wrap;background-color:rgb(246,246,246)">cirros</span><span style="color:rgb(0,0,0);line-height:1.1em;white-space:pre-wrap;background-color:rgb(246,246,246)">@</span><span style="color:rgb(0,0,0);line-height:1.1em;white-space:pre-wrap;background-color:rgb(246,246,246)"><</span><span style="color:rgb(0,0,0);line-height:1.1em;white-space:pre-wrap;background-color:rgb(246,246,246)">floating</span><span style="color:rgb(0,0,0);line-height:1.1em;white-space:pre-wrap;background-color:rgb(246,246,246)">-</span><span style="color:rgb(0,0,0);line-height:1.1em;white-space:pre-wrap;background-color:rgb(246,246,246)">ip</span><span style="color:rgb(0,0,0);line-height:1.1em;white-space:pre-wrap;background-color:rgb(246,246,246)">>,
however by using sudo ip netdns command, we can ssh to the private ip of the instance. Any clue why?</span></li><li><span style="color:rgb(0,0,0);line-height:1.1em;white-space:pre-wrap;background-color:rgb(246,246,246)">From within host which is running all-in-one Openstack setup, we can ping any public address such as
<a href="http://google.com">google.com</a>, but from within CirrOS, we cannot do so. Any clue for this?</span></li><li><span style="color:rgb(0,0,0);line-height:1.1em;white-space:pre-wrap;background-color:rgb(246,246,246)">Please note that Neutron firewall is disabled and proper security group rules are in place such as the following:
<pre style="white-space:pre-wrap;margin-top:0.5em;margin-bottom:0.5em;padding:0px;line-height:1.1em"><span style="line-height:13px;color:rgb(204,51,51)"># create security profile for jump host</span><span class="" style="color:rgb(34,34,34);background:rgb(255,255,204)">neutron</span> security-group-create jumphost
<span style="line-height:13px;color:rgb(204,51,51)"># Add rule to allow icmp in</span><span class="" style="color:rgb(34,34,34);background:rgb(255,255,204)">neutron</span> security-group-rule-create --protocol icmp jumphost
<span style="line-height:13px;color:rgb(204,51,51)"># Add rule to allow ssh in</span><span class="" style="color:rgb(34,34,34);background:rgb(255,255,204)">neutron</span> security-group-rule-create --protocol tcp --port-range-min <span style="line-height:13px">22</span> --port-range-max <span style="line-height:13px">22</span> jumphost</pre>
</span></li><li>
<pre style="white-space:pre-wrap;margin-top:0.5em;margin-bottom:0.5em;padding:0px;line-height:1.1em">traceroute commands from within Cirros to our public interface works well, but to <a href="http://google.com">google.com</a> is not working. </pre>
</li></ol>
<div><font face="monospace"><span style="line-height:13.1999998092651px;white-space:pre-wrap"><br>
</span></font></div>
</div>
<div><font face="monospace"><span style="line-height:13.1999998092651px;white-space:pre-wrap">I am wondering, host system firewall is disabled via "sudo ufw disable", neutron firewall is also disabled
</span></font><span style="color: rgb(0, 0, 0); font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace; font-size: 12px; line-height: 15.6000003814697px; white-space: pre;">firewall_driver=nova.virt.firewall.NoopFirewallDriver
</span>what else<span style="color: rgb(0, 0, 0); font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace; font-size: 12px; line-height: 15.6000003814697px; white-space: pre;">?</span></div>
<div><span style="color: rgb(0, 0, 0); font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace; font-size: 12px; line-height: 15.6000003814697px; white-space: pre;"><br>
</span></div>
<div><span style="color: rgb(0, 0, 0); font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace; font-size: 12px; line-height: 15.6000003814697px; white-space: pre;">Another point, whenever we reboot neutron node, it destroys all
the settings, nothing is there - you can say VM is no more usable - that is corrupted any pointers to this problem? Also adding a default gw by using the "</span><span style="color: rgb(38, 38, 38); font-family: arial, sans-serif; font-size: 13px; line-height: 16px;">sudo
route add default gw <public address> eth0" will corrupt the VM :)</span></div>
<div><span style="color: rgb(0, 0, 0); font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace; font-size: 12px; line-height: 15.6000003814697px; white-space: pre;"><br>
</span></div>
<div><span style="color: rgb(0, 0, 0); font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace; font-size: 12px; line-height: 15.6000003814697px; white-space: pre;">Last but not the least, every example in the context of the VPNaaS
takes a local network as an example, if we are having devstack nodes on two different nodes with two different public ip addresses, do we need to have a GRE tunnel in between them before going to site-to-site connection? I know it was mandatory for Racoon
based ipsec tunnels.</span></div>
<div><span style="color: rgb(0, 0, 0); font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace; font-size: 12px; line-height: 15.6000003814697px; white-space: pre;"><br>
</span></div>
<div><span style="color: rgb(0, 0, 0); font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace; font-size: 12px; line-height: 15.6000003814697px; white-space: pre;">Please guide.
</span></div>
<div><span style="color: rgb(0, 0, 0); font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace; font-size: 12px; line-height: 15.6000003814697px; white-space: pre;"><br>
</span></div>
<div><span style="color: rgb(0, 0, 0); font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace; font-size: 12px; line-height: 15.6000003814697px; white-space: pre;"><br>
</span></div>
<div><span style="color: rgb(0, 0, 0); font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace; font-size: 12px; line-height: 15.6000003814697px; white-space: pre;"><br>
</span></div>
<div><span style="color: rgb(0, 0, 0); font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace; font-size: 12px; line-height: 15.6000003814697px; white-space: pre;"><br>
</span></div>
<div><span style="color: rgb(0, 0, 0); font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace; font-size: 12px; line-height: 15.6000003814697px; white-space: pre;"><br>
</span></div>
</div>
</div>
</div>
</span>
</body>
</html>