Ask Your Question

Cannot establish full TCP connection from instance without default security group assigned to it

asked 2016-03-04 08:10:25 -0500

Daneel gravatar image

updated 2016-03-04 10:09:21 -0500


I don't want instance to be in default security group. When I create my own security group in my project I'm not able to wget some http page. Even though I have all egress communication allowed. There is no floating IP associated to the instance. For e.g.:

# wget
--2016-03-04 13:56:44--
Resolving (, 2a00:1450:400d:802::200e
Connecting to (|2a00:1450:400d:802::200e|:80... failed: Network is unreachable.

Both ping and DNS resolving are OK.

Security group look like this: security group screenshot

| direction | protocol | remote_ip_prefix | remote_group                 |
| egress    | any      |        |                              |
| ingress   | tcp      |        |                              |
| ingress   | icmp     |        |                              |
| ingress   | any      |                  | without-default-total-egress |
| ingress   | any      |                  | without-default-total-egress |
  • OpenStack version: Kilo.
  • OpenContrail version: 2.21

Another instance with default security group is able to wget without any problems.

edit retag flag offensive close merge delete


Does both instances live on the same compute node? If your secgroup is working for 1 instance but not another I looks more like a networking issue here.

haukebruno gravatar imagehaukebruno ( 2016-03-04 18:25:59 -0500 )edit

1 answer

Sort by ยป oldest newest most voted

answered 2016-03-06 08:38:31 -0500

dcapone gravatar image

A quick look at your output indicates that the instance appears to be attempting to connect to using ipv6. I do not see a rule in your custom security group to allow ipv6 egress. In contrast, the default security group has egress allow all rules for both ipv4 and ipv6.

edit flag offensive delete link more


Thanks for your input. We've tested to add egress IPv6 rule, but without success...

Daneel gravatar imageDaneel ( 2016-03-07 01:36:24 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2016-03-04 08:10:25 -0500

Seen: 224 times

Last updated: Mar 06 '16