Ask Your Question
0

Cannot establish full TCP connection from instance without default security group assigned to it

asked 2016-03-04 08:10:25 -0600

Daneel gravatar image

updated 2016-03-04 10:09:21 -0600

Hi,

I don't want instance to be in default security group. When I create my own security group in my project I'm not able to wget some http page. Even though I have all egress communication allowed. There is no floating IP associated to the instance. For e.g.:

# wget google.com
--2016-03-04 13:56:44--  http://google.com/
Resolving google.com (google.com)... 216.58.214.206, 2a00:1450:400d:802::200e
Connecting to google.com (google.com)|2a00:1450:400d:802::200e|:80... failed: Network is unreachable.

Both ping and DNS resolving are OK.

Security group look like this: security group screenshot

+-----------+----------+------------------+------------------------------+
| direction | protocol | remote_ip_prefix | remote_group                 |
+-----------+----------+------------------+------------------------------+
| egress    | any      | 0.0.0.0/0        |                              |
| ingress   | tcp      | 0.0.0.0/0        |                              |
| ingress   | icmp     | 0.0.0.0/0        |                              |
| ingress   | any      |                  | without-default-total-egress |
| ingress   | any      |                  | without-default-total-egress |
+-----------+----------+------------------+------------------------------+
  • OpenStack version: Kilo.
  • OpenContrail version: 2.21

Another instance with default security group is able to wget without any problems.

edit retag flag offensive close merge delete

Comments

Does both instances live on the same compute node? If your secgroup is working for 1 instance but not another I looks more like a networking issue here.

haukebruno gravatar imagehaukebruno ( 2016-03-04 18:25:59 -0600 )edit

1 answer

Sort by ยป oldest newest most voted
0

answered 2016-03-06 08:38:31 -0600

dcapone gravatar image

A quick look at your output indicates that the instance appears to be attempting to connect to Google.com using ipv6. I do not see a rule in your custom security group to allow ipv6 egress. In contrast, the default security group has egress allow all rules for both ipv4 and ipv6.

edit flag offensive delete link more

Comments

Thanks for your input. We've tested to add egress IPv6 rule, but without success...

Daneel gravatar imageDaneel ( 2016-03-07 01:36:24 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2016-03-04 08:10:25 -0600

Seen: 159 times

Last updated: Mar 06 '16