[Openstack] able to ping but not able to ssh to instance

Srinivasreddy R srinivasreddy4390 at gmail.com
Fri Sep 19 04:11:17 UTC 2014 

hi,
i have checked security group rules .
my instance is pinging to router and even a device  in external network .
mostly my problem may in host's firewall .
how can i identify which rule is dropping the ssh traffic .?
how can  i confirm that ssh traffic is blocked at firewall .?
i there any way to see the firewall dropped packets ?

thanks ,
srinivas.







On Thu, Sep 18, 2014 at 7:36 PM, Akilesh K <akilesh1597 at gmail.com> wrote:

> I believe you have checked the security group rules. Make sure the
> instance is able to ping the router. If yes the problem lies in your host's
> firewall rules. Flush the hosts iptable rules(you may take a backup before
> you do that).
>
> On Thu, Sep 18, 2014 at 7:32 PM, Srinivasreddy R <
> srinivasreddy4390 at gmail.com> wrote:
>
>> hi ,
>> thanks for your reply .
>>
>> 1. i have checked ssh server is running in instance ..
>>     ssh from one instance to another is possible using private
>> network[demo-net] .
>> 2. checked  ssh is running in port 22
>> 3. telnet <ip>  22 is not working .
>>
>>
>> 4. output when i run ssh using verbose  pasted at
>>
>> http://paste.openstack.org/show/112860/
>>
>>
>>
>>
>> ==================================
>> ip tables output
>>
>> my internal network for vm is 11.0.0.x and external network is 172.0.0.x
>>
>>
>> root at user-ThinkCentre-M73:/home/user# ip netns exec
>> qrouter-f6e00f94-1c6d-4cf5-8cae-319e393240fe  iptables -t nat -S
>> -P PREROUTING ACCEPT
>> -P INPUT ACCEPT
>> -P OUTPUT ACCEPT
>> -P POSTROUTING ACCEPT
>> -N neutron-l3-agent-OUTPUT
>> -N neutron-l3-agent-POSTROUTING
>> -N neutron-l3-agent-PREROUTING
>> -N neutron-l3-agent-float-snat
>> -N neutron-l3-agent-snat
>> -N neutron-postrouting-bottom
>> -A PREROUTING -j neutron-l3-agent-PREROUTING
>> -A OUTPUT -j neutron-l3-agent-OUTPUT
>> -A POSTROUTING -j neutron-l3-agent-POSTROUTING
>> -A POSTROUTING -j neutron-postrouting-bottom
>> -A neutron-l3-agent-OUTPUT -d 172.0.0.7/32 -j DNAT --to-destination
>> 11.0.0.9
>> -A neutron-l3-agent-OUTPUT -d 172.0.0.3/32 -j DNAT --to-destination
>> 11.0.0.2
>> -A neutron-l3-agent-OUTPUT -d 172.0.0.4/32 -j DNAT --to-destination
>> 11.0.0.5
>> -A neutron-l3-agent-POSTROUTING ! -i qg-ec80d9fb-82 ! -o qg-ec80d9fb-82
>> -m conntrack ! --ctstate DNAT -j ACCEPT
>> -A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp
>> --dport 80 -j REDIRECT --to-ports 9697
>> -A neutron-l3-agent-PREROUTING -d 172.0.0.7/32 -j DNAT --to-destination
>> 11.0.0.9
>> -A neutron-l3-agent-PREROUTING -d 172.0.0.3/32 -j DNAT --to-destination
>> 11.0.0.2
>> -A neutron-l3-agent-PREROUTING -d 172.0.0.4/32 -j DNAT --to-destination
>> 11.0.0.5
>> -A neutron-l3-agent-float-snat -s 11.0.0.9/32 -j SNAT --to-source
>> 172.0.0.7
>> -A neutron-l3-agent-float-snat -s 11.0.0.2/32 -j SNAT --to-source
>> 172.0.0.3
>> -A neutron-l3-agent-float-snat -s 11.0.0.5/32 -j SNAT --to-source
>> 172.0.0.4
>> -A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
>> -A neutron-l3-agent-snat -s 11.0.0.0/24 -j SNAT --to-source 172.0.0.2
>> -A neutron-postrouting-bottom -j neutron-l3-agent-snat
>>
>>
>>
>>
>> =====================
>> i pasted my dump flows of br-tun at
>> http://paste.openstack.org/show/112859/
>>
>>
>>
>> as per the doc
>>  https://openstack.redhat.com/Networking_in_too_much_detail
>>
>> br-ex is connected to router , router is connected to br-int , br-int is
>> connected to bt-tun .
>>
>> i have captured at br-int . my ssh request is reaching to br-int but not
>> going through tunnel .
>>
>> please help me .
>>
>>
>>
>>
>> thanks,
>> srinivas.
>>
>>
>>
>>
>> On Wed, Sep 17, 2014 at 9:30 PM, Sajith Kariyawasam <sajhak at gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> Could be due to,
>>>     ssh server is not up and running in your instance,
>>>     or running in a different port rather than port 22,
>>>     or, ssh port access is restricted in openstack key pair configuration
>>>
>>> You could also try telnet to check the connectivity,
>>> $ telnet <ip> 22
>>>
>>> Thanks,
>>> Sajith
>>>
>>>
>>> On Wed, Sep 17, 2014 at 8:59 PM, Zoltán Lajos Kis <
>>> zoltan.lajos.kis at ericsson.com> wrote:
>>>
>>>>  Hi,
>>>>
>>>>
>>>>
>>>> What’s the output of running ssh with the verbose (-v) flag?
>>>>
>>>>
>>>>
>>>> BR,
>>>>
>>>> Zoltan
>>>>
>>>>
>>>>
>>>> *From:* Srinivasreddy R [mailto:srinivasreddy4390 at gmail.com]
>>>> *Sent:* Wednesday, September 17, 2014 5:16 PM
>>>> *To:* openstack at lists.openstack.org
>>>> *Subject:* [Openstack] able to ping but not able to ssh to instance
>>>>
>>>>
>>>>
>>>> hi,
>>>>
>>>> i am able to ping my instance form external network .
>>>>
>>>> but  not able to ssh to the instance .
>>>>
>>>> i am using floating ip s for ping,ssh.
>>>>
>>>> please help me .
>>>>
>>>> thanks,
>>>> srinivas.
>>>>
>>>> _______________________________________________
>>>> Mailing list:
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>> Post to     : openstack at lists.openstack.org
>>>> Unsubscribe :
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>
>>>>
>>>
>>>
>>> --
>>> Best Regards
>>> Sajith
>>>
>>
>>
>> _______________________________________________
>> Mailing list:
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to     : openstack at lists.openstack.org
>> Unsubscribe :
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140919/a73b5537/attachment.html>

More information about the Openstack mailing list