[Openstack] ssh cirros@<floating-ip> not working - what can be the possible reason

James Denton james.denton at rackspace.com
Mon Sep 29 12:39:48 UTC 2014 

Hi Masoom,

I assume your instance is connected to a tenant network that is attached to a router, and the router is attached to a publicly-accessible network? Are you able to hop into the router via ‘ip netns exec qrouter-xxxxx’ and initiate successful pings to the outside world? If that doesn’t work, your instance will not be able to get out, either. You may also want to ensure the floating IP is setup correctly within the qrouter namespace. You should see the IP configured as a secondary address on the ‘qg’ interface, and iptables rules are setup to handle the NAT.

I would look to resolve connectivity to your instance via the router before working on the VPN. Good luck!

James

From: masoom alam <masoom.alam at gmail.com<mailto:masoom.alam at gmail.com>>
Date: Monday, September 29, 2014 at 4:52 AM
To: "<openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>>" <openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>>
Subject: [Openstack] ssh cirros@<floating-ip> not working - what can be the possible reason

Hi every one,

Context:
We are trying to setup a VPN site -to-site connection, but every time it show us down in the status. We have then decided to backtrack and find the problem.


  1.  We cannot sshcirros@<floating-ip>, however by using sudo ip netdns command, we can ssh to the private ip of the instance. Any clue why?
  2.  From within host which is running all-in-one Openstack setup, we can ping any public address such as google.com<http://google.com>, but from within CirrOS, we cannot do so. Any clue for this?
  3.  Please note that Neutron firewall is disabled and proper security group rules are in place such as the following:

# create security profile for jump hostneutron  security-group-create jumphost

# Add rule to allow icmp inneutron  security-group-rule-create  --protocol icmp jumphost

# Add rule to allow ssh inneutron  security-group-rule-create  --protocol tcp --port-range-min 22 --port-range-max 22  jumphost

  4.

traceroute commands from within Cirros to our public interface works well, but to google.com<http://google.com> is not working.

I am wondering, host system firewall is disabled via "sudo ufw disable", neutron firewall is also disabled firewall_driver=nova.virt.firewall.NoopFirewallDriver what else?

Another point, whenever we reboot neutron node, it destroys all the settings, nothing is there - you can say VM is no more usable - that is corrupted any pointers to this problem? Also adding a default gw by using the "sudo route add default gw <public address> eth0" will corrupt the VM :)

Last but not the least, every example in the context of the VPNaaS takes a local network as an example, if we are having devstack nodes on two different nodes with two different public ip addresses, do we need to have a GRE tunnel in between them before going to site-to-site connection? I know it was mandatory for Racoon based ipsec tunnels.

Please guide.





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140929/054e38b0/attachment.html>

More information about the Openstack mailing list