yes i was able to ping and access the vm earlier. After restart it was not working.
On Fri, Mar 1, 2019 at 2:27 PM Jon Marshall <jms....@hotmail.co.uk> wrote: > Hi Soundar > > Could you ping the VM before ? > > From memory I think when I had the issue even after the fix I had to > destroy the VM and recreate for it to work but you may not be able to do > that or there may be a better way (I was in testing phase so I could do > that). > > Jon > > ________________________________ > From: soundar rajan <bsoundara...@gmail.com> > Sent: 01 March 2019 05:27 > To: users@cloudstack.apache.org > Subject: Re: Not able to access the vm from outside network > > Hi Jon, > > Thanks that fix's the error but still i am not able to ping the vm > > > 2019-03-01 10:46:23,246 - ipset -A i-2-40-VM-6 fe80::1c00:26ff:fe00:9d > 2019-03-01 10:46:23,261 - ip6tables -A BF-cloudbr0-OUT -m physdev > --physdev-is-bridged --physdev-out vnet2 -j i-2-40-def > 2019-03-01 10:46:23,277 - ip6tables -A BF-cloudbr0-IN -m physdev > --physdev-is-bridged --physdev-in vnet2 -j i-2-40-def > 2019-03-01 10:46:23,293 - ip6tables -A i-2-40-def -m state --state > RELATED,ESTABLISHED -j ACCEPT > 2019-03-01 10:46:23,309 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-out vnet2 --src fe80::/64 --dst ff02::1 -p > icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT > 2019-03-01 10:46:23,327 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-in vnet2 --dst ff02::2 -p icmpv6 > --icmpv6-type router-solicitation -m hl --hl-eq 255 -j RETURN > 2019-03-01 10:46:23,344 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-in vnet2 -p icmpv6 --icmpv6-type > router-advertisement -j DROP > 2019-03-01 10:46:23,361 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-in vnet2 -p icmpv6 --icmpv6-type > neighbor-solicitation -m hl --hl-eq 255 -j RETURN > 2019-03-01 10:46:23,378 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-out vnet2 -p icmpv6 --icmpv6-type > neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT > 2019-03-01 10:46:23,395 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-in vnet2 -p icmpv6 --icmpv6-type > neighbor-advertisement -m set --match-set i-2-40-VM-6 src -m hl --hl-eq 255 > -j RETURN > 2019-03-01 10:46:23,412 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-out vnet2 -p icmpv6 --icmpv6-type > neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT > 2019-03-01 10:46:23,430 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-in vnet2 -p icmpv6 --icmpv6-type > packet-too-big -m set --match-set i-2-40-VM-6 src -j RETURN > 2019-03-01 10:46:23,447 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-out vnet2 -p icmpv6 --icmpv6-type > packet-too-big -j ACCEPT > 2019-03-01 10:46:23,464 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-in vnet2 -p icmpv6 --icmpv6-type > destination-unreachable -m set --match-set i-2-40-VM-6 src -j RETURN > 2019-03-01 10:46:23,482 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-out vnet2 -p icmpv6 --icmpv6-type > destination-unreachable -j ACCEPT > 2019-03-01 10:46:23,499 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-in vnet2 -p icmpv6 --icmpv6-type > time-exceeded -m set --match-set i-2-40-VM-6 src -j RETURN > 2019-03-01 10:46:23,516 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-out vnet2 -p icmpv6 --icmpv6-type > time-exceeded -j ACCEPT > 2019-03-01 10:46:23,533 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-in vnet2 -p icmpv6 --icmpv6-type > parameter-problem -m set --match-set i-2-40-VM-6 src -j RETURN > 2019-03-01 10:46:23,551 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-out vnet2 -p icmpv6 --icmpv6-type > parameter-problem -j ACCEPT > 2019-03-01 10:46:23,568 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-in vnet2 -p icmpv6 --dst ff02::16 -j RETURN > 2019-03-01 10:46:23,585 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-in vnet2 -p udp --sport 546 --dst ff02::1:2 > --src fe80::1c00:26ff:fe00:9d -j RETURN > 2019-03-01 10:46:23,602 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-out vnet2 -p udp --src fe80::/64 --dport 546 > --dst fe80::1c00:26ff:fe00:9d -j ACCEPT > 2019-03-01 10:46:23,620 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-in vnet2 -p udp --sport 547 ! --dst > fe80::/64 -j DROP > 2019-03-01 10:46:23,637 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-in vnet2 -p udp --dport 53 -m set > --match-set i-2-40-VM-6 src -j RETURN > 2019-03-01 10:46:23,655 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-in vnet2 -p tcp --dport 53 -m set > --match-set i-2-40-VM-6 src -j RETURN > 2019-03-01 10:46:23,672 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-in vnet2 -m set ! --match-set i-2-40-VM-6 > src -j DROP > 2019-03-01 10:46:23,689 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-in vnet2 -m set --match-set i-2-40-VM-6 src > -j i-2-40-VM-eg > 2019-03-01 10:46:23,706 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-out vnet2 -j i-2-40-VM > 2019-03-01 10:46:23,723 - ip6tables -A i-2-40-VM -j DROP > 2019-03-01 10:46:23,739 - Programmed default rules for vm i-2-40-VM > 2019-03-01 10:46:24,255 - Executing command: add_network_rules > 2019-03-01 10:46:24,259 - programming network rules for IP: > 172.20.109.167 vmname=i-2-40-VM > 2019-03-01 10:46:24,260 - iptables -F i-2-40-VM > 2019-03-01 10:46:24,273 - ip6tables -F i-2-40-VM > 2019-03-01 10:46:24,287 - iptables -F i-2-40-VM-eg > 2019-03-01 10:46:24,298 - ip6tables -F i-2-40-VM-eg > 2019-03-01 10:46:24,312 - iptables -I i-2-40-VM -p tcp -m tcp --dport > 0:12000 -m state --state NEW -s 0.0.0.0/24 -j ACCEPT > 2019-03-01 10:46:24,325 - iptables -I i-2-40-VM-eg -p tcp -m tcp --dport > 0:12000 -m state --state NEW -d 0.0.0.0/24 -j RETURN > 2019-03-01 10:46:24,339 - iptables -A i-2-40-VM-eg -j DROP > 2019-03-01 10:46:24,351 - ip6tables -A i-2-40-VM-eg -j RETURN > 2019-03-01 10:46:24,364 - iptables -A i-2-40-VM -j DROP > 2019-03-01 10:46:24,376 - ip6tables -A i-2-40-VM -j DROP > 2019-03-01 10:46:24,389 - Writing log to /var/run/cloud/i-2-40-VM.log > 2019-03-01 10:46:31,575 - Executing command: get_rule_logs_for_vms > 2019-03-01 10:47:31,513 - Executing command: get_rule_logs_for_vms > 2019-03-01 10:48:31,515 - Executing command: get_rule_logs_for_vms > 2019-03-01 10:49:31,517 - Executing command: get_rule_logs_for_vms > 2019-03-01 10:50:31,520 - Executing command: get_rule_logs_for_vms > 2019-03-01 10:51:31,522 - Executing command: get_rule_logs_for_vms > 2019-03-01 10:52:31,527 - Executing command: get_rule_logs_for_vms > 2019-03-01 10:53:31,528 - Executing command: get_rule_logs_for_vms > 2019-03-01 10:54:31,529 - Executing command: get_rule_logs_for_vms > 2019-03-01 10:55:31,581 - Executing command: get_rule_logs_for_vms > Regards > Soundar > > On Fri, Mar 1, 2019 at 1:12 AM Jon Marshall <jms....@hotmail.co.uk> wrote: > > > Is this after you migrated the VM to another compute node ? > > > > It looks suspiciously like the issue I saw ie. I was using advanced > > networking with security groups and the security policy for the VM was > not > > migrated to the new compute node. > > > > There is a bug filed for it and a workaround - > > > > https://github.com/apache/cloudstack/issues/3088 > > > > the fix is in the comments but basically you need to need to edit this > > file - > "/usr/share/cloudstack-common/scripts/vm/network/security_group.py" > > > > and change line 490 from - > > > > if ips[0] == "0": > > > > to - > > > > if len(ips) == 0 or ips[0] == "0": > > > > and that should fix it. > > > > The will be included in CS v4.11.3 > > > > Jon > > > > > > ________________________________ > > From: soundar rajan <bsoundara...@gmail.com> > > Sent: 28 February 2019 13:52 > > To: d...@cloudstack.apache.org; users@cloudstack.apache.org > > Subject: Not able to access the vm from outside network > > > > Hi, > > > > VM outbound is working fine. Inbound is not not able to access from > > outside network > > > > Error Log > > 2019-02-28 18:12:25,112 - Failed to network rule ! > > Traceback (most recent call last): > > File > "/usr/share/cloudstack-common/scripts/vm/network/security_group.py", > > line 995, in add_network_rules > > default_network_rules(vmName, vm_id, vm_ip, vm_ip6, vmMac, vif, > brname, > > sec_ips) > > File > "/usr/share/cloudstack-common/scripts/vm/network/security_group.py", > > line 490, in default_network_rules > > if ips[0] == "0": > > IndexError: list index out of range > > 2019-02-28 18:13:16,635 - Executing command: cleanup_rules > > 2019-02-28 18:13:16,645 - Vms on the host : ['i-2-40-VM', 'i-2-90-VM', > > 'i-2-112-VM'] > > 2019-02-28 18:13:16,645 - iptables-save | grep -P '^:(?!.*-(def|eg))' | > awk > > '{sub(/^:/, "", $1) ; print $1}' | sort | uniq > > 2019-02-28 18:13:16,671 - iptables chains in the host :['BF-cloudbr0', > > 'BF-cloudbr0-IN', 'BF-cloudbr0-OUT', 'FORWARD', 'i-2-112-VM', > 'i-2-40-VM', > > 'i-2-90-VM', 'INPUT', 'OUTPUT', 'POSTROUTING', 'PREROUTING', ''] > > 2019-02-28 18:13:16,672 - grep -E '^ebtable_' /proc/modules | cut -f1 > -d' ' > > | sed s/ebtable_// > > 2019-02-28 18:13:16,693 - ebtables -t nat -L | awk '/chain:/ { > > gsub(/(^.*chain: |-(in|out|ips).*)/, ""); print $1}' | sort | uniq > > 2019-02-28 18:13:16,716 - ebtables -t filter -L | awk '/chain:/ { > > gsub(/(^.*chain: |-(in|out|ips).*)/, ""); print $1}' | sort | uniq > > 2019-02-28 18:13:16,738 - ebtables chains in the host: ['FORWARD,', > > 'INPUT,', 'OUTPUT,', ''] > > 2019-02-28 18:13:16,739 - Cleaned up rules for 0 chains > > 2019-02-28 18:13:23,959 - Executing command: get_rule_logs_for_vms > > > > It happens to particular vm > > > > Please help.. > > >