ping out working, ping in shows up on bridge but not target device
I'm able to use novnc into my cirros instance, and I can ping/ssh out of the instance. However I'm unable to ping/ssh into the instance. I've been able to find that the pings are not forwarded from egress VM bridge to the eggress VM interface. Does anyone have ideas for the next step in figuring out why the packet isn't forwarded from the VM's bridge to it's interface?
I used the tcpdump suggestions from the operations guide to see that ingress pings get to the bridge for the VM but do not show up on the interface. (obviously I can see the pings on both the bridge and the interface for egress pings).
root@omega4:~# nova --os-tenant-name demo show i1 | grep instance_name
| OS-EXT-SRV-ATTR:instance_name | **instance-00000032** |
root@omega3:~# grep bridge /etc/libvirt/qemu/**instance-00000032.xml**
<interface type='bridge'>
<source bridge='**qbr1d079331-0c**'/>
root@omega3:~# grep tap /etc/libvirt/qemu/**instance-00000032.xml**
<target dev='**tap1d079331-0c**'/>
I can see the ICMP/pings come in on the bridge:
root@omega3:~# tcpdump -i **qbr1d079331-0c** icmp
tcpdump: WARNING: qbr1d079331-0c: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on qbr1d079331-0c, link-type EN10MB (Ethernet), capture size 65535 bytes
14:32:11.020274 IP usenshimejl2c.corp.emc.com > 10.5.5.2: ICMP echo request, id 1, seq 43, length 40
14:32:15.575436 IP usenshimejl2c.corp.emc.com > 10.5.5.2: ICMP echo request, id 1, seq 44, length 40
14:32:20.573448 IP usenshimejl2c.corp.emc.com > 10.5.5.2: ICMP echo request, id 1, seq 45, length 40
14:32:25.573645 IP usenshimejl2c.corp.emc.com > 10.5.5.2: ICMP echo request, id 1, seq 46, length 40
But they don’t make it over to the device (pings fail to show up!!!!):
root@omega3:~# tcpdump -i **tap1d079331-0c** icmp
tcpdump: WARNING: tap1d079331-0c: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tap1d079331-0c, link-type EN10MB (Ethernet), capture size 65535 bytes
<EOF>
I can see the ICMP/pings going out and back on both interfaces (as expected):
root@omega3:~# tcpdump -i **qbr1d079331-0c** icmp
tcpdump: WARNING: qbr1d079331-0c: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on qbr1d079331-0c, link-type EN10MB (Ethernet), capture size 65535 bytes
14:35:02.802150 IP 10.5.5.2 > usenshimejl2c.corp.emc.com: ICMP echo request, id 3842, seq 0, length 64
14:35:02.865863 IP usenshimejl2c.corp.emc.com > 10.5.5.2: ICMP echo reply, id 3842, seq 0, length 64
14:35:03.801353 IP 10.5.5.2 > usenshimejl2c.corp.emc.com: ICMP echo request, id 3842, seq 1, length 64
14:35:03.847489 IP usenshimejl2c.corp.emc.com > 10.5.5.2: ICMP echo reply, id 3842, seq 1, length 64
14:35:04.801517 IP 10.5.5.2 > usenshimejl2c.corp.emc.com: ICMP echo request, id ...