Hi Jon, Thanks that fix's the error but still i am not able to ping the vm
2019-03-01 10:46:23,246 - ipset -A i-2-40-VM-6 fe80::1c00:26ff:fe00:9d 2019-03-01 10:46:23,261 - ip6tables -A BF-cloudbr0-OUT -m physdev --physdev-is-bridged --physdev-out vnet2 -j i-2-40-def 2019-03-01 10:46:23,277 - ip6tables -A BF-cloudbr0-IN -m physdev --physdev-is-bridged --physdev-in vnet2 -j i-2-40-def 2019-03-01 10:46:23,293 - ip6tables -A i-2-40-def -m state --state RELATED,ESTABLISHED -j ACCEPT 2019-03-01 10:46:23,309 - ip6tables -A i-2-40-def -m physdev --physdev-is-bridged --physdev-out vnet2 --src fe80::/64 --dst ff02::1 -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT 2019-03-01 10:46:23,327 - ip6tables -A i-2-40-def -m physdev --physdev-is-bridged --physdev-in vnet2 --dst ff02::2 -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j RETURN 2019-03-01 10:46:23,344 - ip6tables -A i-2-40-def -m physdev --physdev-is-bridged --physdev-in vnet2 -p icmpv6 --icmpv6-type router-advertisement -j DROP 2019-03-01 10:46:23,361 - ip6tables -A i-2-40-def -m physdev --physdev-is-bridged --physdev-in vnet2 -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j RETURN 2019-03-01 10:46:23,378 - ip6tables -A i-2-40-def -m physdev --physdev-is-bridged --physdev-out vnet2 -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT 2019-03-01 10:46:23,395 - ip6tables -A i-2-40-def -m physdev --physdev-is-bridged --physdev-in vnet2 -p icmpv6 --icmpv6-type neighbor-advertisement -m set --match-set i-2-40-VM-6 src -m hl --hl-eq 255 -j RETURN 2019-03-01 10:46:23,412 - ip6tables -A i-2-40-def -m physdev --physdev-is-bridged --physdev-out vnet2 -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT 2019-03-01 10:46:23,430 - ip6tables -A i-2-40-def -m physdev --physdev-is-bridged --physdev-in vnet2 -p icmpv6 --icmpv6-type packet-too-big -m set --match-set i-2-40-VM-6 src -j RETURN 2019-03-01 10:46:23,447 - ip6tables -A i-2-40-def -m physdev --physdev-is-bridged --physdev-out vnet2 -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT 2019-03-01 10:46:23,464 - ip6tables -A i-2-40-def -m physdev --physdev-is-bridged --physdev-in vnet2 -p icmpv6 --icmpv6-type destination-unreachable -m set --match-set i-2-40-VM-6 src -j RETURN 2019-03-01 10:46:23,482 - ip6tables -A i-2-40-def -m physdev --physdev-is-bridged --physdev-out vnet2 -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT 2019-03-01 10:46:23,499 - ip6tables -A i-2-40-def -m physdev --physdev-is-bridged --physdev-in vnet2 -p icmpv6 --icmpv6-type time-exceeded -m set --match-set i-2-40-VM-6 src -j RETURN 2019-03-01 10:46:23,516 - ip6tables -A i-2-40-def -m physdev --physdev-is-bridged --physdev-out vnet2 -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT 2019-03-01 10:46:23,533 - ip6tables -A i-2-40-def -m physdev --physdev-is-bridged --physdev-in vnet2 -p icmpv6 --icmpv6-type parameter-problem -m set --match-set i-2-40-VM-6 src -j RETURN 2019-03-01 10:46:23,551 - ip6tables -A i-2-40-def -m physdev --physdev-is-bridged --physdev-out vnet2 -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT 2019-03-01 10:46:23,568 - ip6tables -A i-2-40-def -m physdev --physdev-is-bridged --physdev-in vnet2 -p icmpv6 --dst ff02::16 -j RETURN 2019-03-01 10:46:23,585 - ip6tables -A i-2-40-def -m physdev --physdev-is-bridged --physdev-in vnet2 -p udp --sport 546 --dst ff02::1:2 --src fe80::1c00:26ff:fe00:9d -j RETURN 2019-03-01 10:46:23,602 - ip6tables -A i-2-40-def -m physdev --physdev-is-bridged --physdev-out vnet2 -p udp --src fe80::/64 --dport 546 --dst fe80::1c00:26ff:fe00:9d -j ACCEPT 2019-03-01 10:46:23,620 - ip6tables -A i-2-40-def -m physdev --physdev-is-bridged --physdev-in vnet2 -p udp --sport 547 ! --dst fe80::/64 -j DROP 2019-03-01 10:46:23,637 - ip6tables -A i-2-40-def -m physdev --physdev-is-bridged --physdev-in vnet2 -p udp --dport 53 -m set --match-set i-2-40-VM-6 src -j RETURN 2019-03-01 10:46:23,655 - ip6tables -A i-2-40-def -m physdev --physdev-is-bridged --physdev-in vnet2 -p tcp --dport 53 -m set --match-set i-2-40-VM-6 src -j RETURN 2019-03-01 10:46:23,672 - ip6tables -A i-2-40-def -m physdev --physdev-is-bridged --physdev-in vnet2 -m set ! --match-set i-2-40-VM-6 src -j DROP 2019-03-01 10:46:23,689 - ip6tables -A i-2-40-def -m physdev --physdev-is-bridged --physdev-in vnet2 -m set --match-set i-2-40-VM-6 src -j i-2-40-VM-eg 2019-03-01 10:46:23,706 - ip6tables -A i-2-40-def -m physdev --physdev-is-bridged --physdev-out vnet2 -j i-2-40-VM 2019-03-01 10:46:23,723 - ip6tables -A i-2-40-VM -j DROP 2019-03-01 10:46:23,739 - Programmed default rules for vm i-2-40-VM 2019-03-01 10:46:24,255 - Executing command: add_network_rules 2019-03-01 10:46:24,259 - programming network rules for IP: 172.20.109.167 vmname=i-2-40-VM 2019-03-01 10:46:24,260 - iptables -F i-2-40-VM 2019-03-01 10:46:24,273 - ip6tables -F i-2-40-VM 2019-03-01 10:46:24,287 - iptables -F i-2-40-VM-eg 2019-03-01 10:46:24,298 - ip6tables -F i-2-40-VM-eg 2019-03-01 10:46:24,312 - iptables -I i-2-40-VM -p tcp -m tcp --dport 0:12000 -m state --state NEW -s 0.0.0.0/24 -j ACCEPT 2019-03-01 10:46:24,325 - iptables -I i-2-40-VM-eg -p tcp -m tcp --dport 0:12000 -m state --state NEW -d 0.0.0.0/24 -j RETURN 2019-03-01 10:46:24,339 - iptables -A i-2-40-VM-eg -j DROP 2019-03-01 10:46:24,351 - ip6tables -A i-2-40-VM-eg -j RETURN 2019-03-01 10:46:24,364 - iptables -A i-2-40-VM -j DROP 2019-03-01 10:46:24,376 - ip6tables -A i-2-40-VM -j DROP 2019-03-01 10:46:24,389 - Writing log to /var/run/cloud/i-2-40-VM.log 2019-03-01 10:46:31,575 - Executing command: get_rule_logs_for_vms 2019-03-01 10:47:31,513 - Executing command: get_rule_logs_for_vms 2019-03-01 10:48:31,515 - Executing command: get_rule_logs_for_vms 2019-03-01 10:49:31,517 - Executing command: get_rule_logs_for_vms 2019-03-01 10:50:31,520 - Executing command: get_rule_logs_for_vms 2019-03-01 10:51:31,522 - Executing command: get_rule_logs_for_vms 2019-03-01 10:52:31,527 - Executing command: get_rule_logs_for_vms 2019-03-01 10:53:31,528 - Executing command: get_rule_logs_for_vms 2019-03-01 10:54:31,529 - Executing command: get_rule_logs_for_vms 2019-03-01 10:55:31,581 - Executing command: get_rule_logs_for_vms Regards Soundar On Fri, Mar 1, 2019 at 1:12 AM Jon Marshall <jms....@hotmail.co.uk> wrote: > Is this after you migrated the VM to another compute node ? > > It looks suspiciously like the issue I saw ie. I was using advanced > networking with security groups and the security policy for the VM was not > migrated to the new compute node. > > There is a bug filed for it and a workaround - > > https://github.com/apache/cloudstack/issues/3088 > > the fix is in the comments but basically you need to need to edit this > file - "/usr/share/cloudstack-common/scripts/vm/network/security_group.py" > > and change line 490 from - > > if ips[0] == "0": > > to - > > if len(ips) == 0 or ips[0] == "0": > > and that should fix it. > > The will be included in CS v4.11.3 > > Jon > > > ________________________________ > From: soundar rajan <bsoundara...@gmail.com> > Sent: 28 February 2019 13:52 > To: d...@cloudstack.apache.org; users@cloudstack.apache.org > Subject: Not able to access the vm from outside network > > Hi, > > VM outbound is working fine. Inbound is not not able to access from > outside network > > Error Log > 2019-02-28 18:12:25,112 - Failed to network rule ! > Traceback (most recent call last): > File "/usr/share/cloudstack-common/scripts/vm/network/security_group.py", > line 995, in add_network_rules > default_network_rules(vmName, vm_id, vm_ip, vm_ip6, vmMac, vif, brname, > sec_ips) > File "/usr/share/cloudstack-common/scripts/vm/network/security_group.py", > line 490, in default_network_rules > if ips[0] == "0": > IndexError: list index out of range > 2019-02-28 18:13:16,635 - Executing command: cleanup_rules > 2019-02-28 18:13:16,645 - Vms on the host : ['i-2-40-VM', 'i-2-90-VM', > 'i-2-112-VM'] > 2019-02-28 18:13:16,645 - iptables-save | grep -P '^:(?!.*-(def|eg))' | awk > '{sub(/^:/, "", $1) ; print $1}' | sort | uniq > 2019-02-28 18:13:16,671 - iptables chains in the host :['BF-cloudbr0', > 'BF-cloudbr0-IN', 'BF-cloudbr0-OUT', 'FORWARD', 'i-2-112-VM', 'i-2-40-VM', > 'i-2-90-VM', 'INPUT', 'OUTPUT', 'POSTROUTING', 'PREROUTING', ''] > 2019-02-28 18:13:16,672 - grep -E '^ebtable_' /proc/modules | cut -f1 -d' ' > | sed s/ebtable_// > 2019-02-28 18:13:16,693 - ebtables -t nat -L | awk '/chain:/ { > gsub(/(^.*chain: |-(in|out|ips).*)/, ""); print $1}' | sort | uniq > 2019-02-28 18:13:16,716 - ebtables -t filter -L | awk '/chain:/ { > gsub(/(^.*chain: |-(in|out|ips).*)/, ""); print $1}' | sort | uniq > 2019-02-28 18:13:16,738 - ebtables chains in the host: ['FORWARD,', > 'INPUT,', 'OUTPUT,', ''] > 2019-02-28 18:13:16,739 - Cleaned up rules for 0 chains > 2019-02-28 18:13:23,959 - Executing command: get_rule_logs_for_vms > > It happens to particular vm > > Please help.. >
