dhcp worked but cannot ping or ssh to instance

asked 2014-04-26 00:50:45 -0600

awasi gravatar image

updated 2014-04-26 02:58:50 -0600

darragh-oreilly gravatar image

Hi Folks,

Just recently got icehouse up and running with ML2 plugin. I have a 3 node cluster. Server, Compute and Network nodes. I am running ML2 with VLANs. Have multiple NICs in all three nodes. The problem I am running into, is that when the VM is up and running on the Compute node, the VM gets the DHCP IP address from the network services and comes up. I can assign the VM a floating IP. The problem is that I am not able to reach the VM e.g. the floating IP that is assigned to the VM is I cannot ping the VM using this floating IP, and I cannot ssh to the VM. I confirmed by looking at the tcpdump that packets indeed are reaching the Compute via the Network Node. I can see the pings coming into the Compute for the VM IP address, but I don't see any response back.

I am kind of perplexed that DHCP is working fine, but after that the VM goes quiet. Below is how my ML2 configuration looks like along with the ifconfig output.

This looks like a bug with Icehouse compute using ML2 and VLANs

Thanks in advance for any help


root@compute1:/etc/neutron/plugins/ml2# more ml2_conf.ini
# (ListOpt) List of network type driver entrypoints to be loaded from
# the neutron.ml2.type_drivers namespace.
type_drivers = vlan

# (ListOpt) Ordered list of networking mechanism driver entrypoints
# to be loaded from the neutron.ml2.mechanism_drivers namespace.
# mechanism_drivers =
mechanism drivers = openvswitch

# (ListOpt) List of <physical_network>[:<vlan_min>:<vlan_max>] tuples
# specifying physical_network names usable for VLAN provider and
# tenant networks, as well as ranges of VLAN tags on each
# physical_network available for allocation as tenant networks.
network_vlan_ranges = default:1000:2000

# Controls if neutron security group is enabled or not.
# It should be false when you use nova security group.
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
enable_security_group = True

bridge_mappings = default:br-eth1


root@compute1:~# ifconfig -a
br-eth1   Link encap:Ethernet  HWaddr f0:1f:af:e8:c0:0c  
          inet6 addr: fe80::24b7:12ff:fe17:759d/64 Scope:Link
          UP BROADCAST RUNNING  MTU:1500  Metric:1
          RX packets:36 errors:0 dropped:0 overruns:0 frame:0
          TX packets:65 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:3688 (3.6 KB)  TX bytes:14898 (14.8 KB)

br-int    Link encap:Ethernet  HWaddr 3e:79:be:0d:5b:43  
          inet6 addr: fe80::2c29:27ff:fe44:edd4/64 Scope:Link
          UP BROADCAST RUNNING  MTU:1500  Metric:1
          RX packets:48 errors:0 dropped:0 overruns:0 frame:0
          TX packets:65 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:4672 (4.6 KB)  TX bytes:14841 (14.8 KB)

eth0      Link encap:Ethernet  HWaddr f0:1f:af:e8:c0:0b  
          inet addr:  Bcast:  Mask:
          inet6 addr ...
edit retag flag offensive close merge delete


and you opened ssh and icmp in the security group?

darragh-oreilly gravatar imagedarragh-oreilly ( 2014-04-26 03:02:00 -0600 )edit

2 answers

Sort by » oldest newest most voted

answered 2014-04-26 03:17:43 -0600

SGPJ gravatar image

By default, Security group rules will not allow to ping or SSH in the Guest VMs. You need to add ALL ICMP & SSH for both ingress & egress rules by editing default security group.


edit flag offensive delete link more



yerp.. need to manually add that one.. happened to me before.

senyapsudah gravatar imagesenyapsudah ( 2014-04-26 04:41:18 -0600 )edit

answered 2014-04-26 08:46:02 -0600

awasi gravatar image

Yup that did that trick. I completely forgot about the security group.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools


Asked: 2014-04-26 00:50:45 -0600

Seen: 1,051 times

Last updated: Apr 26 '14