The following issue was seen using CS 4.11.2 in advanced mode with security group isolation.
VM (internal name i-2-29-VM) - is created and works fine with default security group allowing inbound SSH and ICMP echo request. Migrate the VM to another of the compute nodes and the VM migrates and from the proxy console the VM can connect out but the default security group inbound is not copied across the compute node. The /var/log/cloudstack/agent/security_group.log shows on the compute node the VM has migrated to - 2019-01-18 14:54:25,724 - Ignoring failure to delete ebtables chain for vm i-2-29-VM 2019-01-18 14:54:25,724 - ebtables -t nat -F i-2-29-VM-out 2019-01-18 14:54:25,730 - Ignoring failure to delete ebtables chain for vm i-2-29-VM 2019-01-18 14:54:25,730 - ebtables -t nat -F i-2-29-VM-in-ips 2019-01-18 14:54:25,735 - Ignoring failure to delete ebtables chain for vm i-2-29-VM 2019-01-18 14:54:25,735 - ebtables -t nat -F i-2-29-VM-out-ips 2019-01-18 14:54:25,740 - Ignoring failure to delete ebtables chain for vm i-2-29-VM 2019-01-18 14:54:25,741 - iptables -N i-2-29-VM 2019-01-18 14:54:25,745 - ip6tables -N i-2-29-VM 2019-01-18 14:54:25,749 - iptables -N i-2-29-VM-eg 2019-01-18 14:54:25,753 - ip6tables -N i-2-29-VM-eg 2019-01-18 14:54:25,758 - iptables -N i-2-29-def 2019-01-18 14:54:25,763 - ip6tables -N i-2-29-def 2019-01-18 14:54:25,767 - Creating ipset chain .... i-2-29-VM 2019-01-18 14:54:25,768 - ipset -F i-2-29-VM 2019-01-18 14:54:25,772 - ipset chain not exists creating.... i-2-29-VM 2019-01-18 14:54:25,772 - ipset -N i-2-29-VM iphash family inet 2019-01-18 14:54:25,777 - vm ip 172.30.6.62019-01-18 14:54:25,777 - ipset -A i-2-29-VM 172.30.6.60 2019-01-18 14:54:25,782 - Failed to network rule ! Traceback (most recent call last): File "/usr/share/cloudstack-common/scripts/vm/network/security_group.py", line 995, in add_network_rules default_network_rules(vmName, vm_id, vm_ip, vm_ip6, vmMac, vif, brname, sec_ips) File "/usr/share/cloudstack-common/scripts/vm/network/security_group.py", line 490, in default_network_rules if ips[0] == "0": IndexError: list index out of range Added a few lines to debug the script security_group.py and it would appear this line (line 487) is the culprit - ips = sec_ips.split(';') as far as I can tell the separator should be a colon (':') and not a semi colon or at least on my setup. Once changed to - ips = sec_ips.split(':') the iptables rules were updated correctly on the host the VM was migrated to. I don't know if this is the right change to make as the script is over a 1000 lines long and imports other modules so woudl appreciate any input as this seems to be a key function of Advanced with security groups. Thanks Jon