[Openstack] able to ping but not able to ssh to instance
Srinivasreddy R
srinivasreddy4390 at gmail.com
Tue Sep 23 09:37:13 UTC 2014
hi all ,
Thanks for your support .
Now i am able to access instance from external network .
from guide :
http://docs.openstack.org/admin-guide-cloud/admin-guide-cloud.pdf
chapter : Enable ping and SSH on VMs
thanks,
srinivas.
On Fri, Sep 19, 2014 at 10:04 PM, Srinivasreddy R <
srinivasreddy4390 at gmail.com> wrote:
> Hi,
>
>
>
> Tried to ssh form the network node to instance ..
>
> Observed packets ssh packets are transmitted to and from . but
> connection is not established .
>
> What may be the reason .?
>
> Below are few dumps in the path from external network of network node to
> instance .
>
>
>
>
>
> My instance overview is pasted at
>
> http://paste.openstack.org/show/113366/
>
>
>
> root at user-ThinkCentre-M73:/home/user# ssh cirros at 172.0.0.4 -vvv
>
> OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
>
> debug1: Reading configuration data /etc/ssh/ssh_config
>
> debug1: /etc/ssh/ssh_config line 19: Applying options for *
>
> debug2: ssh_connect: needpriv 0
>
> debug1: Connecting to 172.0.0.4 [172.0.0.4] port 22.
>
> debug1: Connection established.
>
> debug1: permanently_set_uid: 0/0
>
> debug1: identity file /root/.ssh/id_rsa type -1
>
> debug1: identity file /root/.ssh/id_rsa-cert type -1
>
> debug1: identity file /root/.ssh/id_dsa type -1
>
> debug1: identity file /root/.ssh/id_dsa-cert type -1
>
> debug1: identity file /root/.ssh/id_ecdsa type -1
>
> debug1: identity file /root/.ssh/id_ecdsa-cert type -1
>
> debug1: identity file /root/.ssh/id_ed25519 type -1
>
> debug1: identity file /root/.ssh/id_ed25519-cert type -1
>
> debug1: Enabling compatibility mode for protocol 2.0
>
> debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
>
> debug1: Remote protocol version 2.0, remote software version
> dropbear_2012.55
>
> debug1: no match: dropbear_2012.55
>
> debug2: fd 3 setting O_NONBLOCK
>
> debug3: load_hostkeys: loading entries for host "172.0.0.4" from file
> "/root/.ssh/known_hosts"
>
> debug3: load_hostkeys: loaded 0 keys
>
> debug1: SSH2_MSG_KEXINIT sent
>
> debug1: SSH2_MSG_KEXINIT received
>
> debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org
> ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
>
> debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01 at openssh.com,
> ecdsa-sha2-nistp384-cert-v01 at openssh.com,
> ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519-cert-v01 at openssh.com,
> ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,
> ssh-rsa-cert-v00 at openssh.com,ssh-dss-cert-v00 at openssh.com
> ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss
>
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
> aes128-gcm at openssh.com,aes256-gcm at openssh.com,
> chacha20-poly1305 at openssh.com
> ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
> rijndael-cbc at lysator.liu.se
>
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
> aes128-gcm at openssh.com,aes256-gcm at openssh.com,
> chacha20-poly1305 at openssh.com
> ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
> rijndael-cbc at lysator.liu.se
>
> debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com,
> hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com
> ,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,
> hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,
> hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,
> umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
> hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
>
> debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com,
> hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com
> ,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,
> hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,
> hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,
> umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
> hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
>
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
>
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
>
> debug2: kex_parse_kexinit:
>
> debug2: kex_parse_kexinit:
>
> debug2: kex_parse_kexinit: first_kex_follows 0
>
> debug2: kex_parse_kexinit: reserved 0
>
> debug2: kex_parse_kexinit:
> diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
>
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
>
> debug2: kex_parse_kexinit:
> aes128-ctr,3des-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc
>
> debug2: kex_parse_kexinit:
> aes128-ctr,3des-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc
>
> debug2: kex_parse_kexinit: hmac-sha1-96,hmac-sha1,hmac-md5
>
> debug2: kex_parse_kexinit: hmac-sha1-96,hmac-sha1,hmac-md5
>
> debug2: kex_parse_kexinit: none
>
> debug2: kex_parse_kexinit: none
>
> debug2: kex_parse_kexinit:
>
> debug2: kex_parse_kexinit:
>
> debug2: kex_parse_kexinit: first_kex_follows 0
>
> debug2: kex_parse_kexinit: reserved 0
>
> debug2: mac_setup: setup hmac-md5
>
> debug1: kex: server->client aes128-ctr hmac-md5 none
>
> debug2: mac_setup: setup hmac-md5
>
> debug1: kex: client->server aes128-ctr hmac-md5 none
>
> debug2: bits set: 1019/2048
>
> debug1: sending SSH2_MSG_KEXDH_INIT
>
> debug1: expecting SSH2_MSG_KEXDH_REPLY
>
> Read from socket failed: Connection timed out
>
>
>
>
>
>
>
>
>
> Ifconfig of router namespace in network node
>
>
>
>
>
> root at user-ThinkCentre-M73:/home/user# ip netns exec
> qrouter-f6e00f94-1c6d-4cf5-8cae-319e393240fe ifconfig
>
> lo Link encap:Local Loopback
>
> inet addr:127.0.0.1 Mask:255.0.0.0
>
> inet6 addr: ::1/128 Scope:Host
>
> UP LOOPBACK RUNNING MTU:65536 Metric:1
>
> RX packets:48 errors:0 dropped:0 overruns:0 frame:0
>
> TX packets:48 errors:0 dropped:0 overruns:0 carrier:0
>
> collisions:0 txqueuelen:0
>
> RX bytes:3924 (3.9 KB) TX bytes:3924 (3.9 KB)
>
>
>
> qg-ec80d9fb-82 Link encap:Ethernet HWaddr fa:16:3e:b4:4e:6e
>
> inet addr:172.0.0.2 Bcast:172.0.0.255 Mask:255.255.255.0
>
> inet6 addr: fe80::f816:3eff:feb4:4e6e/64 Scope:Link
>
> UP BROADCAST RUNNING MTU:1500 Metric:1
>
> RX packets:1222 errors:0 dropped:0 overruns:0 frame:0
>
> TX packets:1105 errors:0 dropped:0 overruns:0 carrier:0
>
> collisions:0 txqueuelen:0
>
> RX bytes:345583 (345.5 KB) TX bytes:112480 (112.4 KB)
>
>
>
> qr-72d38d5b-5c Link encap:Ethernet HWaddr fa:16:3e:6a:fd:ce
>
> inet addr:11.0.0.1 Bcast:11.0.0.255 Mask:255.255.255.0
>
> inet6 addr: fe80::f816:3eff:fe6a:fdce/64 Scope:Link
>
> UP BROADCAST RUNNING MTU:1500 Metric:1
>
> RX packets:19529 errors:0 dropped:0 overruns:0 frame:0
>
> TX packets:1283 errors:0 dropped:0 overruns:0 carrier:0
>
> collisions:0 txqueuelen:0
>
> RX bytes:3046631 (3.0 MB) TX bytes:349969 (349.9 KB)
>
>
>
>
>
>
>
>
>
> Tcpdump at interface connected to external bridge [ br-ex ] on network
> node .
>
>
>
>
>
>
>
> root at user-ThinkCentre-M73:/home/user# ip netns exec
> qrouter-f6e00f94-1c6d-4cf5-8cae-319e393240fe tcpdump -i qg-ec80d9fb-82
>
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>
> listening on qg-ec80d9fb-82, link-type EN10MB (Ethernet), capture size
> 65535 bytes
>
>
>
> ^C05:48:45.486622 IP 172.0.0.117.55818 > 172.0.0.4.ssh: Flags [S], seq
> 3976398776, win 29200, options [mss 1460,sackOK,TS val 4692954 ecr
> 0,nop,wscale 7], length 0
>
> 05:48:45.487671 IP 172.0.0.4.ssh > 172.0.0.117.55818: Flags [S.], seq
> 3831484282, ack 3976398777, win 14480, options [mss 1460,sackOK,TS val
> 44193412 ecr 4692954,nop,wscale 3], length 0
>
> 05:48:45.487720 IP 172.0.0.117.55818 > 172.0.0.4.ssh: Flags [.], ack 1,
> win 229, options [nop,nop,TS val 4692954 ecr 44193412], length 0
>
> 05:48:45.488031 IP 172.0.0.117.55818 > 172.0.0.4.ssh: Flags [P.], seq
> 1:42, ack 1, win 229, options [nop,nop,TS val 4692954 ecr 44193412], length
> 41
>
> 05:48:45.488678 IP 172.0.0.4.ssh > 172.0.0.117.55818: Flags [.], ack 42,
> win 1810, options [nop,nop,TS val 44193412 ecr 4692954], length 0
>
> 05:48:45.488933 IP 172.0.0.4.ssh > 172.0.0.117.55818: Flags [P.], seq
> 1:27, ack 42, win 1810, options [nop,nop,TS val 44193412 ecr 4692954],
> length 26
>
> 05:48:45.488992 IP 172.0.0.117.55818 > 172.0.0.4.ssh: Flags [.], ack 27,
> win 229, options [nop,nop,TS val 4692954 ecr 44193412], length 0
>
> 05:48:45.489245 IP 172.0.0.117.55818 > 172.0.0.4.ssh: Flags [.], seq
> 42:1490, ack 27, win 229, options [nop,nop,TS val 4692954 ecr 44193412],
> length 1448
>
> 05:48:45.489290 IP 172.0.0.117.55818 > 172.0.0.4.ssh: Flags [P.], seq
> 1490:2010, ack 27, win 229, options [nop,nop,TS val 4692954 ecr 44193412],
> length 520
>
> 05:48:45.489847 IP 172.0.0.4.ssh > 172.0.0.117.55818: Flags [P.], seq
> 27:443, ack 42, win 1810, options [nop,nop,TS val 44193412 ecr 4692954],
> length 416
>
> 05:48:45.490316 IP 172.0.0.4.ssh > 172.0.0.117.55818: Flags [.], ack 42,
> win 1810, options [nop,nop,TS val 44193412 ecr 4692954,nop,nop,sack 1
> {1490:2010}], length 0
>
> 05:48:45.490386 IP 172.0.0.117.55818 > 172.0.0.4.ssh: Flags [.], seq
> 42:1490, ack 443, win 237, options [nop,nop,TS val 4692955 ecr 44193412],
> length 1448
>
> 05:48:45.691646 IP 172.0.0.4.ssh > 172.0.0.117.55818: Flags [P.], seq
> 27:443, ack 42, win 1810, options [nop,nop,TS val 44193463 ecr
> 4692954,nop,nop,sack 1 {1490:2010}], length 416
>
> 05:48:45.691690 IP 172.0.0.117.55818 > 172.0.0.4.ssh: Flags [.], ack 443,
> win 237, options [nop,nop,TS val 4693005 ecr 44193463,nop,nop,sack 1
> {27:443}], length 0
>
> 05:48:45.694466 IP 172.0.0.117.55818 > 172.0.0.4.ssh: Flags [.], seq
> 42:1490, ack 443, win 237, options [nop,nop,TS val 4693006 ecr 44193463],
> length 1448
>
> 05:48:46.102461 IP 172.0.0.117.55818 > 172.0.0.4.ssh: Flags [.], seq
> 42:1490, ack 443, win 237, options [nop,nop,TS val 4693108 ecr 44193463],
> length 1448
>
> 05:48:46.918464 IP 172.0.0.117.55818 > 172.0.0.4.ssh: Flags [.], seq
> 42:1490, ack 443, win 237, options [nop,nop,TS val 4693312 ecr 44193463],
> length 1448
>
> 05:48:48.554444 IP 172.0.0.117.55818 > 172.0.0.4.ssh: Flags [.], seq
> 42:1490, ack 443, win 237, options [nop,nop,TS val 4693721 ecr 44193463],
> length 1448
>
> 05:48:50.502461 ARP, Request who-has 172.0.0.117 tell 172.0.0.2, length 28
>
> 05:48:50.502547 ARP, Request who-has 172.0.0.4 tell 172.0.0.117, length 28
>
> 05:48:50.502559 ARP, Reply 172.0.0.4 is-at fa:16:3e:b4:4e:6e (oui
> Unknown), length 28
>
> 05:48:50.502597 ARP, Reply 172.0.0.117 is-at 68:05:ca:0e:6b:b6 (oui
> Unknown), length 28
>
> 05:48:51.830441 IP 172.0.0.117.55818 > 172.0.0.4.ssh: Flags [.], seq
> 42:1490, ack 443, win 237, options [nop,nop,TS val 4694540 ecr 44193463],
> length 1448
>
> 05:48:58.374756 IP 172.0.0.117.55818 > 172.0.0.4.ssh: Flags [.], seq
> 42:1490, ack 443, win 237, options [nop,nop,TS val 4696176 ecr 44193463],
> length 1448
>
> 05:49:11.462560 IP 172.0.0.117.55818 > 172.0.0.4.ssh: Flags [.], seq
> 42:1490, ack 443, win 237, options [nop,nop,TS val 4699448 ecr 44193463],
> length 1448
>
> 05:49:37.606548 IP 172.0.0.117.55818 > 172.0.0.4.ssh: Flags [.], seq
> 42:1490, ack 443, win 237, options [nop,nop,TS val 4705984 ecr 44193463],
> length 1448
>
> 05:49:42.614737 ARP, Request who-has 172.0.0.4 tell 172.0.0.117, length 28
>
> 05:49:42.614769 ARP, Reply 172.0.0.4 is-at fa:16:3e:b4:4e:6e (oui
> Unknown), length 28
>
> 05:50:29.958757 IP 172.0.0.117.55818 > 172.0.0.4.ssh: Flags [.], seq
> 42:1490, ack 443, win 237, options [nop,nop,TS val 4719072 ecr 44193463],
> length 1448
>
> 05:50:34.966723 ARP, Request who-has 172.0.0.4 tell 172.0.0.117, length 28
>
> 05:50:34.966750 ARP, Reply 172.0.0.4 is-at fa:16:3e:b4:4e:6e (oui
> Unknown), length 28
>
>
>
>
>
> Tcpdump at tap interface connected to instance at compute node .
>
> This tap interface is connected to br-int on compute node .
>
>
>
>
>
> root at user-ThinkCentre-M73:/home/user# tcpdump -i tapb0373360-21 port 22
>
> tcpdump: WARNING: tapb0373360-21: no IPv4 address assigned
>
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>
> listening on tapb0373360-21, link-type EN10MB (Ethernet), capture size
> 65535 bytes
>
> 05:49:00.295624 IP 172.0.0.117.55818 > 11.0.0.5.ssh: Flags [S], seq
> 3976398776, win 29200, options [mss 1460,sackOK,TS val 4692954 ecr
> 0,nop,wscale 7], length 0
>
> 05:49:00.295758 IP 11.0.0.5.ssh > 172.0.0.117.55818: Flags [S.], seq
> 3831484282, ack 3976398777, win 14480, options [mss 1460,sackOK,TS val
> 44193412 ecr 4692954,nop,wscale 3], length 0
>
> 05:49:00.296464 IP 172.0.0.117.55818 > 11.0.0.5.ssh: Flags [.], ack 1, win
> 229, options [nop,nop,TS val 4692954 ecr 44193412], length 0
>
> 05:49:00.296738 IP 172.0.0.117.55818 > 11.0.0.5.ssh: Flags [P.], seq 1:42,
> ack 1, win 229, options [nop,nop,TS val 4692954 ecr 44193412], length 41
>
> 05:49:00.296798 IP 11.0.0.5.ssh > 172.0.0.117.55818: Flags [.], ack 42,
> win 1810, options [nop,nop,TS val 44193412 ecr 4692954], length 0
>
> 05:49:00.297069 IP 11.0.0.5.ssh > 172.0.0.117.55818: Flags [P.], seq 1:27,
> ack 42, win 1810, options [nop,nop,TS val 44193412 ecr 4692954], length 26
>
> 05:49:00.297122 IP 11.0.0.5.ssh > 172.0.0.117.55818: Flags [P.], seq
> 27:443, ack 42, win 1810, options [nop,nop,TS val 44193412 ecr 4692954],
> length 416
>
> 05:49:00.297717 IP 172.0.0.117.55818 > 11.0.0.5.ssh: Flags [.], ack 27,
> win 229, options [nop,nop,TS val 4692954 ecr 44193412], length 0
>
> 05:49:00.298022 IP 172.0.0.117.55818 > 11.0.0.5.ssh: Flags [P.], seq
> 1490:2010, ack 27, win 229, options [nop,nop,TS val 4692954 ecr 44193412],
> length 520
>
> 05:49:00.298073 IP 11.0.0.5.ssh > 172.0.0.117.55818: Flags [.], ack 42,
> win 1810, options [nop,nop,TS val 44193412 ecr 4692954,nop,nop,sack 1
> {1490:2010}], length 0
>
> 05:49:00.498896 IP 11.0.0.5.ssh > 172.0.0.117.55818: Flags [P.], seq
> 27:443, ack 42, win 1810, options [nop,nop,TS val 44193463 ecr
> 4692954,nop,nop,sack 1 {1490:2010}], length 416
>
> 05:49:00.500531 IP 172.0.0.117.55818 > 11.0.0.5.ssh: Flags [.], ack 443,
> win 237, options [nop,nop,TS val 4693005 ecr 44193463,nop,nop,sack 1
> {27:443}], length 0
>
>
>
>
>
>
>
>
>
>
>
>
>
> Thanks,
>
> Srinivas.
>
>
>
>
>
>
>
>
>
>
>
> On Fri, Sep 19, 2014 at 3:32 PM, Raghu Vadapalli <rvatspacket at gmail.com>
> wrote:
>
>> Just to confirm if iptables are the issue try stopping iptables and see
>> if it works and then you can debug further.
>> —
>> Sent from Mailbox <https://www.dropbox.com/mailbox>
>>
>>
>> On Fri, Sep 19, 2014 at 3:55 AM, Srinivasreddy R <
>> srinivasreddy4390 at gmail.com> wrote:
>>
>>> hi,
>>> i had addeed a rule for (ingress, tcp, port 22 and cidr 0.0.0.0/0).
>>> still not able to ssh .
>>>
>>> my instance overview
>>> http://paste.openstack.org/show/113170/
>>>
>>>
>>> i pasted my ip tables [ nat, mangle,filter] output ..
>>>
>>> please let me know i want to add or delete any thing in iptables .
>>>
>>> http://paste.openstack.org/show/113164/
>>>
>>>
>>> thanks,
>>> srinivas.
>>>
>>>
>>>
>>> On Fri, Sep 19, 2014 at 12:39 PM, Akilesh K <akilesh1597 at gmail.com>
>>> wrote:
>>>
>>>> The mail from Andreas was correct you need to add a rule for
>>>> (ingress, tcp, port 22 and cidr 0.0.0.0/0).
>>>>
>>>> In case the rule is already there. check the host firewall rules using
>>>> iptables -t nat -L
>>>> iptables -t mangle -L
>>>> iptables -t filter -L
>>>>
>>>> None of the tables should have any rule.
>>>>
>>>> On Fri, Sep 19, 2014 at 9:41 AM, Srinivasreddy R <
>>>> srinivasreddy4390 at gmail.com> wrote:
>>>>
>>>>> hi,
>>>>> i have checked security group rules .
>>>>> my instance is pinging to router and even a device in external
>>>>> network .
>>>>> mostly my problem may in host's firewall .
>>>>> how can i identify which rule is dropping the ssh traffic .?
>>>>> how can i confirm that ssh traffic is blocked at firewall .?
>>>>> i there any way to see the firewall dropped packets ?
>>>>>
>>>>> thanks ,
>>>>> srinivas.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Sep 18, 2014 at 7:36 PM, Akilesh K <akilesh1597 at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> I believe you have checked the security group rules. Make sure the
>>>>>> instance is able to ping the router. If yes the problem lies in your host's
>>>>>> firewall rules. Flush the hosts iptable rules(you may take a backup before
>>>>>> you do that).
>>>>>>
>>>>>> On Thu, Sep 18, 2014 at 7:32 PM, Srinivasreddy R <
>>>>>> srinivasreddy4390 at gmail.com> wrote:
>>>>>>
>>>>>>> hi ,
>>>>>>> thanks for your reply .
>>>>>>>
>>>>>>> 1. i have checked ssh server is running in instance ..
>>>>>>> ssh from one instance to another is possible using private
>>>>>>> network[demo-net] .
>>>>>>> 2. checked ssh is running in port 22
>>>>>>> 3. telnet <ip> 22 is not working .
>>>>>>>
>>>>>>>
>>>>>>> 4. output when i run ssh using verbose pasted at
>>>>>>>
>>>>>>> http://paste.openstack.org/show/112860/
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ==================================
>>>>>>> ip tables output
>>>>>>>
>>>>>>> my internal network for vm is 11.0.0.x and external network is
>>>>>>> 172.0.0.x
>>>>>>>
>>>>>>>
>>>>>>> root at user-ThinkCentre-M73:/home/user# ip netns exec
>>>>>>> qrouter-f6e00f94-1c6d-4cf5-8cae-319e393240fe iptables -t nat -S
>>>>>>> -P PREROUTING ACCEPT
>>>>>>> -P INPUT ACCEPT
>>>>>>> -P OUTPUT ACCEPT
>>>>>>> -P POSTROUTING ACCEPT
>>>>>>> -N neutron-l3-agent-OUTPUT
>>>>>>> -N neutron-l3-agent-POSTROUTING
>>>>>>> -N neutron-l3-agent-PREROUTING
>>>>>>> -N neutron-l3-agent-float-snat
>>>>>>> -N neutron-l3-agent-snat
>>>>>>> -N neutron-postrouting-bottom
>>>>>>> -A PREROUTING -j neutron-l3-agent-PREROUTING
>>>>>>> -A OUTPUT -j neutron-l3-agent-OUTPUT
>>>>>>> -A POSTROUTING -j neutron-l3-agent-POSTROUTING
>>>>>>> -A POSTROUTING -j neutron-postrouting-bottom
>>>>>>> -A neutron-l3-agent-OUTPUT -d 172.0.0.7/32 -j DNAT --to-destination
>>>>>>> 11.0.0.9
>>>>>>> -A neutron-l3-agent-OUTPUT -d 172.0.0.3/32 -j DNAT --to-destination
>>>>>>> 11.0.0.2
>>>>>>> -A neutron-l3-agent-OUTPUT -d 172.0.0.4/32 -j DNAT --to-destination
>>>>>>> 11.0.0.5
>>>>>>> -A neutron-l3-agent-POSTROUTING ! -i qg-ec80d9fb-82 ! -o
>>>>>>> qg-ec80d9fb-82 -m conntrack ! --ctstate DNAT -j ACCEPT
>>>>>>> -A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp
>>>>>>> --dport 80 -j REDIRECT --to-ports 9697
>>>>>>> -A neutron-l3-agent-PREROUTING -d 172.0.0.7/32 -j DNAT
>>>>>>> --to-destination 11.0.0.9
>>>>>>> -A neutron-l3-agent-PREROUTING -d 172.0.0.3/32 -j DNAT
>>>>>>> --to-destination 11.0.0.2
>>>>>>> -A neutron-l3-agent-PREROUTING -d 172.0.0.4/32 -j DNAT
>>>>>>> --to-destination 11.0.0.5
>>>>>>> -A neutron-l3-agent-float-snat -s 11.0.0.9/32 -j SNAT --to-source
>>>>>>> 172.0.0.7
>>>>>>> -A neutron-l3-agent-float-snat -s 11.0.0.2/32 -j SNAT --to-source
>>>>>>> 172.0.0.3
>>>>>>> -A neutron-l3-agent-float-snat -s 11.0.0.5/32 -j SNAT --to-source
>>>>>>> 172.0.0.4
>>>>>>> -A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
>>>>>>> -A neutron-l3-agent-snat -s 11.0.0.0/24 -j SNAT --to-source
>>>>>>> 172.0.0.2
>>>>>>> -A neutron-postrouting-bottom -j neutron-l3-agent-snat
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> =====================
>>>>>>> i pasted my dump flows of br-tun at
>>>>>>> http://paste.openstack.org/show/112859/
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> as per the doc
>>>>>>> https://openstack.redhat.com/Networking_in_too_much_detail
>>>>>>>
>>>>>>> br-ex is connected to router , router is connected to br-int ,
>>>>>>> br-int is connected to bt-tun .
>>>>>>>
>>>>>>> i have captured at br-int . my ssh request is reaching to br-int but
>>>>>>> not going through tunnel .
>>>>>>>
>>>>>>> please help me .
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> thanks,
>>>>>>> srinivas.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Wed, Sep 17, 2014 at 9:30 PM, Sajith Kariyawasam <
>>>>>>> sajhak at gmail.com> wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> Could be due to,
>>>>>>>> ssh server is not up and running in your instance,
>>>>>>>> or running in a different port rather than port 22,
>>>>>>>> or, ssh port access is restricted in openstack key pair
>>>>>>>> configuration
>>>>>>>>
>>>>>>>> You could also try telnet to check the connectivity,
>>>>>>>> $ telnet <ip> 22
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Sajith
>>>>>>>>
>>>>>>>>
>>>>>>>> On Wed, Sep 17, 2014 at 8:59 PM, Zoltán Lajos Kis <
>>>>>>>> zoltan.lajos.kis at ericsson.com> wrote:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> What’s the output of running ssh with the verbose (-v) flag?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> BR,
>>>>>>>>>
>>>>>>>>> Zoltan
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> *From:* Srinivasreddy R [mailto:srinivasreddy4390 at gmail.com]
>>>>>>>>> *Sent:* Wednesday, September 17, 2014 5:16 PM
>>>>>>>>> *To:* openstack at lists.openstack.org
>>>>>>>>> *Subject:* [Openstack] able to ping but not able to ssh to
>>>>>>>>> instance
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> hi,
>>>>>>>>>
>>>>>>>>> i am able to ping my instance form external network .
>>>>>>>>>
>>>>>>>>> but not able to ssh to the instance .
>>>>>>>>>
>>>>>>>>> i am using floating ip s for ping,ssh.
>>>>>>>>>
>>>>>>>>> please help me .
>>>>>>>>>
>>>>>>>>> thanks,
>>>>>>>>> srinivas.
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Mailing list:
>>>>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>>>>>> Post to : openstack at lists.openstack.org
>>>>>>>>> Unsubscribe :
>>>>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Best Regards
>>>>>>>> Sajith
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Mailing list:
>>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>>>> Post to : openstack at lists.openstack.org
>>>>>>> Unsubscribe :
>>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140923/a63478c8/attachment.html>
More information about the Openstack
mailing list