Cannot establish full TCP connection from instance without default security group assigned to it

asked 2016-03-04

I don't want instance to be in default security group. When I create my own security group in my project I'm not able to wget some http page. Even though I have all egress communication allowed. There is no floating IP associated to the instance. For e.g.:

# wget
--2016-03-04 13:56:44--
Resolving (, 2a00:1450:400d:802::200e
Connecting to (|2a00:1450:400d:802::200e|:80... failed: Network is unreachable.

Both ping and DNS resolving are OK.

Security group look like this: security group screenshot

| direction | protocol | remote_ip_prefix | remote_group                 |
| egress    | any      |        |                              |
| ingress   | tcp      |        |                              |
| ingress   | icmp     |        |                              |
| ingress   | any      |                  | without-default-total-egress |
| ingress   | any      |                  | without-default-total-egress |
  • OpenStack version: Kilo.
  • OpenContrail version: 2.21

Another instance with default security group is able to wget without any problems.

Does both instances live on the same compute node? If your secgroup is working for 1 instance but not another I looks more like a networking issue here.

haukebruno ( 2016-03-04 )

answered 2016-03-06

A quick look at your output indicates that the instance appears to be attempting to connect to using ipv6. I do not see a rule in your custom security group to allow ipv6 egress. In contrast, the default security group has egress allow all rules for both ipv4 and ipv6.

Thanks for your input. We've tested to add egress IPv6 rule, but without success...

