Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

What would cause a VM to not be able to ping a neutron router?

Hello... I have a 7 node Mitaka ML2 OVS setup (controller, neutron, compute1-5 and storage) and am having trouble adding a second external provider network. VM's have been issued a floating IP, are reachable and can access the outside world via (ext-net) br-ex without issue. A second NIC in the Neutron node has been configured as br-qam. A second flat network (qam-net) has been created and I am able to assign a second floating IP to a VM. A second router (qam-router) has been created and interfaces to br-qam and the tenant network have been added. The router can ping the external default gateway, the VM and itself. My issue is that VM's cannot ping the router or the external gateway.

Supporting Details:

    root@neutron1:~# neutron net-list
+--------------------------------------+-------------+-----------------------------------------------------+
| id                                   | name        | subnets                                             |
+--------------------------------------+-------------+-----------------------------------------------------+
| 044cc270-cb23-4205-bd1e-10f0559809a8 | qam-net     | 07a895b3-9f1e-4c52-9c21-52e78416e537 172.16.10.0/24 |
| baeaab77-5e47-48eb-810e-de2355004c5b | ext-net     | da444dce-1533-4991-9823-1d94981b1bee 10.0.0.0/24    |
| 1f3e398c-e640-4e6e-a824-732782ebc6f2 | demo-net    | 31dbdb08-02e8-4be6-958a-93fddfc6446a 192.168.2.0/24 |
| a5174752-656a-4953-aa9e-0b6764eaf007 | rain-net    | d2647846-e708-49ff-800f-588e7d7c5391 192.168.1.0/24 |
| 78f1f996-213d-4ce4-bfd8-8ac0332911c7 | Drop-VOD    | 8e9f965e-aa64-4bcc-8004-4118e8b2599f 192.168.4.0/24 |
| 6cd5b93a-2d22-435b-9723-76d923ed327d | Drop-Linear | a2f57b06-e214-4476-b74e-ca71d4cc9a0d 192.168.3.0/24 |
+--------------------------------------+-------------+-----------------------------------------------------+


root@neutron1:~# neutron net-show qam-net
+---------------------------+--------------------------------------+
| Field                     | Value                                |
+---------------------------+--------------------------------------+
| admin_state_up            | True                                 |
| availability_zone_hints   |                                      |
| availability_zones        |                                      |
| created_at                | 2017-02-28T14:28:43                  |
| description               |                                      |
| id                        | 044cc270-cb23-4205-bd1e-10f0559809a8 |
| ipv4_address_scope        |                                      |
| ipv6_address_scope        |                                      |
| is_default                | False                                |
| mtu                       | 1500                                 |
| name                      | qam-net                              |
| port_security_enabled     | True                                 |
| provider:network_type     | flat                                 |
| provider:physical_network | qamnet                               |
| provider:segmentation_id  |                                      |
| router:external           | True                                 |
| shared                    | False                                |
| status                    | ACTIVE                               |
| subnets                   | 07a895b3-9f1e-4c52-9c21-52e78416e537 |
| tags                      |                                      |
| tenant_id                 | c1a771834b904373b3b9374acaf6cb62     |
| updated_at                | 2017-02-28T14:28:43                  |
+---------------------------+--------------------------------------+


root@neutron1:~# cat /etc/neutron/plugins/ml2/ml2_conf.ini
[ml2]
# (ListOpt) List of network type driver entrypoints to be loaded from
# the neutron.ml2.type_drivers namespace.
#
type_drivers = flat,vlan,vxlan

# (ListOpt) Ordered list of network_types to allocate as tenant
# networks. The default value 'local' is useful for single-box testing
# but provides no connectivity between hosts.
#
tenant_network_types = vxlan

# (ListOpt) Ordered list of networking mechanism driver entrypoints
# to be loaded from the neutron.ml2.mechanism_drivers namespace.
mechanism_drivers = openvswitch,l2population

# (ListOpt) Ordered list of extension driver entrypoints
# to be loaded from the neutron.ml2.extension_drivers namespace.
extension_drivers = port_security
# Example: extension_drivers = anewextensiondriver

[ml2_type_flat]
# (ListOpt) List of physical_network names with which flat networks
# can be created. Use * to allow flat networks with arbitrary
# physical_network names.
#
flat_networks = external,qamnet

[ml2_type_vlan]
# (ListOpt) List of <physical_network>[:<vlan_min>:<vlan_max>] tuples
# specifying physical_network names usable for VLAN provider and
# tenant networks, as well as ranges of VLAN tags on each
# physical_network available for allocation as tenant networks.
#
# network_vlan_ranges =
network_vlan_ranges = external:1000:2999,qamnet:1000:2999

[ml2_type_gre]
# (ListOpt) Comma-separated list of <tun_min>:<tun_max> tuples enumerating ranges of GRE tunnel IDs that are available for tenant network allocation
#tunnel_id_ranges = 1000:2999

[ml2_type_vxlan]
# (ListOpt) Comma-separated list of <vni_min>:<vni_max> tuples enumerating
# ranges of VXLAN VNI IDs that are available for tenant network allocation.
#
# vni_ranges =

# (StrOpt) Multicast group for the VXLAN interface. When configured, will
# enable sending all broadcast traffic to this multicast group. When left
# unconfigured, will disable multicast VXLAN mode.
#
# vxlan_group =
# Example: vxlan_group = 239.1.1.1

[ml2_type_geneve]
# (ListOpt) Comma-separated list of <vni_min>:<vni_max> tuples enumerating
# ranges of Geneve VNI IDs that are available for tenant network allocation.
#
# vni_ranges =

[securitygroup]
# Controls if neutron security group is enabled or not.
# It should be false when you use nova security group.
# enable_security_group = True

# Use ipset to speed-up the iptables security groups. Enabling ipset support
# requires that ipset is installed on L2 agent node.
enable_ipset = True


root@neutron1:~# cat /etc/neutron/plugins/ml2/openvswitch_agent.ini
[ovs]

# integration_bridge = br-int

# Only used for the agent if tunnel_id_ranges is not empty for
# the server.  In most cases, the default value should be fine.
#
# tunnel_bridge = br-tun

# Peer patch port in integration bridge for tunnel bridge
# int_peer_patch_port = patch-tun

# Peer patch port in tunnel bridge for integration bridge
# tun_peer_patch_port = patch-int

# Uncomment this line for the agent if tunnel_id_ranges is not
# empty for the server. Set local-ip to be the local IP address of
# this hypervisor.
#
local_ip = 10.0.1.21

bridge_mappings = vlan:br-vlan,external:br-ex,qamnet:br-qam
# Example: bridge_mappings = physnet1:br-eth1

# (BoolOpt) Use veths instead of patch ports to interconnect the integration
# bridge to physical networks. Support kernel without ovs patch port support
# so long as it is set to True.
# use_veth_interconnection = False

# (StrOpt) Which OVSDB backend to use, defaults to 'vsctl'
# vsctl - The backend based on executing ovs-vsctl
# native - The backend based on using native OVSDB
# ovsdb_interface = vsctl

# (StrOpt) The connection string for the native OVSDB backend
# To enable ovsdb-server to listen on port 6640:
#   ovs-vsctl set-manager ptcp:6640:127.0.0.1
# ovsdb_connection = tcp:127.0.0.1:6640

# (StrOpt) OpenFlow interface to use.
# 'ovs-ofctl' or 'native'.
# of_interface = ovs-ofctl
#
# (IPOpt)
# Address to listen on for OpenFlow connections.
# Used only for 'native' driver.
# of_listen_address = 127.0.0.1
#
# (IntOpt)
# Port to listen on for OpenFlow connections.
# Used only for 'native' driver.
# of_listen_port = 6633
#
# (IntOpt)
# Timeout in seconds to wait for the local switch connecting the controller.
# Used only for 'native' driver.
# of_connect_timeout=30
#
# (IntOpt)
# Timeout in seconds to wait for a single OpenFlow request.
# Used only for 'native' driver.
# of_request_timeout=10

# (StrOpt) ovs datapath to use.
# 'system' is the default value and corresponds to the kernel datapath.
# To enable the userspace datapath set this value to 'netdev'
# datapath_type = system

[agent]
# Log agent heartbeats from this OVS agent
# log_agent_heartbeats = False

# Agent's polling interval in seconds
# polling_interval = 2

# Minimize polling by monitoring ovsdb for interface changes
# minimize_polling = True

# When minimize_polling = True, the number of seconds to wait before
# respawning the ovsdb monitor after losing communication with it
# ovsdb_monitor_respawn_interval = 30

# (ListOpt) The types of tenant network tunnels supported by the agent.
# Setting this will enable tunneling support in the agent. This can be set to
# either 'gre' or 'vxlan'. If this is unset, it will default to [] and
# disable tunneling support in the agent.
# You can specify as many values here as your compute hosts supports.
#
tunnel_types = vxlan

# (IntOpt) The port number to utilize if tunnel_types includes 'vxlan'. By
# default, this will make use of the Open vSwitch default value of '4789' if
# not specified.
#
# vxlan_udp_port =
# Example: vxlan_udp_port = 8472

# (IntOpt) This is the MTU size of veth interfaces.
# Do not change unless you have a good reason to.
# The default MTU size of veth interfaces is 1500.
# This option has no effect if use_veth_interconnection is False
# veth_mtu =
# Example: veth_mtu = 1504

# (BoolOpt) Flag to enable l2-population extension. This option should only be
# used in conjunction with ml2 plugin and l2population mechanism driver. It'll
# enable plugin to populate remote ports macs and IPs (using fdb_add/remove
# RPC calbbacks instead of tunnel_sync/update) on OVS agents in order to
# optimize tunnel management.
#
l2_population = False 

# Enable local ARP responder. Requires OVS 2.1. This is only used by the l2
# population ML2 MechanismDriver.
#
# arp_responder = False

prevent_arp_spoofing = True

# (BoolOpt) Set or un-set the don't fragment (DF) bit on outgoing IP packet
# carrying GRE/VXLAN tunnel. The default value is True.
#
# dont_fragment = True

# (BoolOpt) Set to True on L2 agents to enable support
# for distributed virtual routing.
#
# enable_distributed_routing = False

# (IntOpt) Set new timeout in seconds for new rpc calls after agent receives
# SIGTERM. If value is set to 0, rpc timeout won't be changed"
#
# quitting_rpc_timeout = 10

# (ListOpt) Extensions list to use
# Example: extensions = qos
#
# extensions =

# (BoolOpt) Set or un-set the checksum on outgoing IP packet
# carrying GRE/VXLAN tunnel. The default value is False.
#
# tunnel_csum = False

# (StrOpt) agent_type to report.
# This config entry allows configuration of the neutron agent type reported
# by the default ovs l2 agent. This allows multiple ovs mechanism drivers
# to share a common ovs agent implementation. NOTE: this value will be
# removed in the mitaka cycle.
#
# agent_type = 'Open vSwitch agent'

[securitygroup]
# Firewall driver for realizing neutron security group function.
# firewall_driver = neutron.agent.firewall.NoopFirewallDriver
#firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
firewall_driver = iptables_hybrid

# Controls if neutron security group is enabled or not.
# It should be false when you use nova security group.
enable_security_group = True

    root@neutron1:~# ip netns
qrouter-fb1fdc96-6ebf-44a1-a3cd-c11220f15fdd
qrouter-89b5954a-3f22-440f-ad97-08e679b647f2
qrouter-2628b770-5928-4ef5-af29-2fd3fccdb213
qdhcp-78f1f996-213d-4ce4-bfd8-8ac0332911c7
qdhcp-1f3e398c-e640-4e6e-a824-732782ebc6f2
qdhcp-a5174752-656a-4953-aa9e-0b6764eaf007
qdhcp-6cd5b93a-2d22-435b-9723-76d923ed327d

    root@neutron1:~# ip netns exec qrouter-89b5954a-3f22-440f-ad97-08e679b647f2 netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         172.16.10.1     0.0.0.0         UG        0 0          0 qg-a5e14ad3-9a
172.16.10.0     0.0.0.0         255.255.255.0   U         0 0          0 qg-a5e14ad3-9a
192.168.3.0     0.0.0.0         255.255.255.0   U         0 0          0 qr-87466402-7f
192.168.4.0     0.0.0.0         255.255.255.0   U         0 0          0 qr-dafbdb03-ea

    root@neutron1:~# ip netns exec qrouter-89b5954a-3f22-440f-ad97-08e679b647f2 arp -an
? (172.16.10.1) at 00:01:e8:82:26:be [ether] on qg-a5e14ad3-9a
? (192.168.4.1) at fa:16:3e:92:23:f9 [ether] on qr-dafbdb03-ea
? (192.168.4.181) at fa:16:3e:bc:61:e3 [ether] on qr-dafbdb03-ea
? (172.16.10.2) at <incomplete> on qg-a5e14ad3-9a
? (192.168.4.3) at <incomplete> on qr-dafbdb03-ea

The router is able to ping the VM:

root@neutron1:~# ip netns exec qrouter-89b5954a-3f22-440f-ad97-08e679b647f2 ping -c 4 192.168.4.181
PING 192.168.4.181 (192.168.4.181) 56(84) bytes of data.
64 bytes from 192.168.4.181: icmp_seq=1 ttl=64 time=1.09 ms
64 bytes from 192.168.4.181: icmp_seq=2 ttl=64 time=0.305 ms
64 bytes from 192.168.4.181: icmp_seq=3 ttl=64 time=0.329 ms
64 bytes from 192.168.4.181: icmp_seq=4 ttl=64 time=0.420 ms

The router is also able to ping the external GW:

root@neutron1:~# ip netns exec qrouter-89b5954a-3f22-440f-ad97-08e679b647f2 ping -c 4 172.16.10.1
PING 172.16.10.1 (172.16.10.1) 56(84) bytes of data.
64 bytes from 172.16.10.1: icmp_seq=1 ttl=255 time=0.525 ms
64 bytes from 172.16.10.1: icmp_seq=2 ttl=255 time=0.506 ms
64 bytes from 172.16.10.1: icmp_seq=3 ttl=255 time=0.504 ms
64 bytes from 172.16.10.1: icmp_seq=4 ttl=255 time=0.482 ms

Neutron OVS looks like this:

 root@neutron1:~# ovs-vsctl show
3768d194-b043-43c6-8e1d-3a550902fdae
    Bridge br-int
        fail_mode: secure
        Port "qr-c8db0dee-b3"
            tag: 5
            Interface "qr-c8db0dee-b3"
                type: internal
        Port "tap72237223-86"
            tag: 4
            Interface "tap72237223-86"
                type: internal
        Port int-br-ex
            Interface int-br-ex
                type: patch
                options: {peer=phy-br-ex}
        Port "qr-e9e2536d-b8"
            tag: 4
            Interface "qr-e9e2536d-b8"
                type: internal
        Port "tap5823376f-72"
            tag: 1
            Interface "tap5823376f-72"
                type: internal
        Port "qg-90914f93-69"
            tag: 2
            Interface "qg-90914f93-69"
                type: internal
        Port "qg-989eaab1-eb"
            tag: 2
            Interface "qg-989eaab1-eb"
                type: internal
        Port patch-tun
            Interface patch-tun
                type: patch
                options: {peer=patch-int}
        Port br-int
            Interface br-int
                type: internal
        Port "qr-5c05623a-c9"
            tag: 1
            Interface "qr-5c05623a-c9"
                type: internal
        Port int-br-qam
            Interface int-br-qam
                type: patch
                options: {peer=phy-br-qam}
        Port "tap78e3c66f-23"
            tag: 3
            Interface "tap78e3c66f-23"
                type: internal
        Port "tap3629a116-e7"
            tag: 5
            Interface "tap3629a116-e7"
                type: internal
        Port "qr-87466402-7f"
            tag: 5
            Interface "qr-87466402-7f"
                type: internal
        Port int-br-vlan
            Interface int-br-vlan
                type: patch
                options: {peer=phy-br-vlan}
        Port "qr-dafbdb03-ea"
            tag: 1
            Interface "qr-dafbdb03-ea"
                type: internal
        Port "qg-a5e14ad3-9a"
            tag: 6
            Interface "qg-a5e14ad3-9a"
                type: internal
    Bridge br-ex
        fail_mode: secure
        Port phy-br-ex
            Interface phy-br-ex
                type: patch
                options: {peer=int-br-ex}
        Port "eno2"
            Interface "eno2"
        Port br-ex
            Interface br-ex
                type: internal
    Bridge br-qam
        fail_mode: secure
        Port "enp3s0f1"
            Interface "enp3s0f1"
        Port br-qam
            Interface br-qam
                type: internal
        Port phy-br-qam
            Interface phy-br-qam
                type: patch
                options: {peer=int-br-qam}
    Bridge br-tun
        fail_mode: secure
        Port "vxlan-0a00011f"
            Interface "vxlan-0a00011f"
                type: vxlan
                options: {df_default="true", in_key=flow, local_ip="10.0.1.21", out_key=flow, remote_ip="10.0.1.31"}
        Port "vxlan-0a000121"
            Interface "vxlan-0a000121"
                type: vxlan
                options: {df_default="true", in_key=flow, local_ip="10.0.1.21", out_key=flow, remote_ip="10.0.1.33"}
        Port patch-int
            Interface patch-int
                type: patch
                options: {peer=patch-tun}
        Port "vxlan-0a000122"
            Interface "vxlan-0a000122"
                type: vxlan
                options: {df_default="true", in_key=flow, local_ip="10.0.1.21", out_key=flow, remote_ip="10.0.1.34"}
        Port "vxlan-0a000123"
            Interface "vxlan-0a000123"
                type: vxlan
                options: {df_default="true", in_key=flow, local_ip="10.0.1.21", out_key=flow, remote_ip="10.0.1.35"}
        Port "vxlan-0a000115"
            Interface "vxlan-0a000115"
                type: vxlan
                options: {df_default="true", in_key=flow, local_ip="10.0.1.36", out_key=flow, remote_ip="10.0.1.21"}
        Port "vxlan-0a000120"
            Interface "vxlan-0a000120"
                type: vxlan
                options: {df_default="true", in_key=flow, local_ip="10.0.1.21", out_key=flow, remote_ip="10.0.1.32"}
        Port br-tun
            Interface br-tun
                type: internal
        Port "vxlan-0a000124"
            Interface "vxlan-0a000124"
                type: vxlan
                options: {df_default="true", in_key=flow, local_ip="10.0.1.21", out_key=flow, remote_ip="10.0.1.36"}
    Bridge br-vlan
        fail_mode: secure
        Port phy-br-vlan
            Interface phy-br-vlan
                type: patch
                options: {peer=int-br-vlan}
        Port br-vlan
            Interface br-vlan
                type: internal
    ovs_version: "2.5.0"

Compute Node OVS looks like this:

root@compute5:~# ovs-vsctl show
155eaef6-fc16-4626-abf0-7be9656b21b8
    Bridge br-tun
        fail_mode: secure
        Port "vxlan-0a000115"
            Interface "vxlan-0a000115"
                type: vxlan
                options: {df_default="true", in_key=flow, local_ip="10.0.1.35", out_key=flow, remote_ip="10.0.1.21"}
        Port "vxlan-0a000122"
            Interface "vxlan-0a000122"
                type: vxlan
                options: {df_default="true", in_key=flow, local_ip="10.0.1.35", out_key=flow, remote_ip="10.0.1.34"}
        Port patch-int
            Interface patch-int
                type: patch
                options: {peer=patch-tun}
        Port br-tun
            Interface br-tun
                type: internal
        Port "gre-0a00011f"
            Interface "gre-0a00011f"
                type: gre
                options: {df_default="true", in_key=flow, local_ip="10.0.1.35", out_key=flow, remote_ip="10.0.1.31"}
        Port "vxlan-0a000124"
            Interface "vxlan-0a000124"
                type: vxlan
                options: {df_default="true", in_key=flow, local_ip="10.0.1.35", out_key=flow, remote_ip="10.0.1.36"}
        Port "gre-0a000120"
            Interface "gre-0a000120"
                type: gre
                options: {df_default="true", in_key=flow, local_ip="10.0.1.35", out_key=flow, remote_ip="10.0.1.32"}
        Port "vxlan-0a00011f"
            Interface "vxlan-0a00011f"
                type: vxlan
                options: {df_default="true", in_key=flow, local_ip="10.0.1.35", out_key=flow, remote_ip="10.0.1.31"}
        Port "gre-0a000115"
            Interface "gre-0a000115"
                type: gre
                options: {df_default="true", in_key=flow, local_ip="10.0.1.35", out_key=flow, remote_ip="10.0.1.21"}
        Port "vxlan-0a000120"
            Interface "vxlan-0a000120"
                type: vxlan
                options: {df_default="true", in_key=flow, local_ip="10.0.1.35", out_key=flow, remote_ip="10.0.1.32"}
        Port "vxlan-0a000121"
            Interface "vxlan-0a000121"
                type: vxlan
                options: {df_default="true", in_key=flow, local_ip="10.0.1.35", out_key=flow, remote_ip="10.0.1.33"}
    Bridge br-vlan
        fail_mode: secure
        Port br-vlan
            Interface br-vlan
                type: internal
        Port phy-br-vlan
            Interface phy-br-vlan
                type: patch
                options: {peer=int-br-vlan}
    Bridge br-int
        fail_mode: secure
        Port "tap41a11da4-85"
            tag: 1
            Interface "tap41a11da4-85"
        Port "tapffbb9542-54"
            tag: 1
            Interface "tapffbb9542-54"
        Port "tap640da24c-2c"
            tag: 2
            Interface "tap640da24c-2c"
        Port int-br-vlan
            Interface int-br-vlan
                type: patch
                options: {peer=phy-br-vlan}
        Port br-int
            Interface br-int
                type: internal
        Port patch-tun
            Interface patch-tun
                type: patch
                options: {peer=patch-int}
        Port int-br-qam
            Interface int-br-qam
                type: patch
                options: {peer=phy-br-qam}
    ovs_version: "2.5.0"

I can see ping traffic leaving the compute node:

root@compute5:~# tcpdump -e -n -i eno2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno2, link-type EN10MB (Ethernet), capture size 262144 bytes
11:09:05.931950 00:00:c9:b0:47:9f > 01:10:18:01:00:02, ethertype Unknown (0x8914), length 60: 
    0x0000:  1000 0004 0001 0002 0000 0202 0000 c9b0  ................
    0x0010:  479f 0000 0000 0000 0000 0000 0000 0000  G...............
    0x0020:  0000 0000 0000 0000 0000 cca0 c287       ..............
11:09:06.277797 00:a0:d1:ea:dd:ed > 00:00:c9:b0:47:9e, ethertype IPv4 (0x0800), length 148: 10.0.1.35.35903 > 10.0.1.21.4789: VXLAN, flags [I] (0x08), vni 43
fa:16:3e:bc:61:e3 > fa:16:3e:92:23:f9, ethertype IPv4 (0x0800), length 98: 192.168.4.181 > 172.16.10.9: ICMP echo request, id 2715, seq 26, length 64
11:09:06.431939 00:00:c9:b0:47:9f > 01:10:18:01:00:02, ethertype Unknown (0x8914), length 60: 
    0x0000:  1000 0004 0001 0002 0000 0202 0000 c9b0  ................
    0x0010:  479f 0000 0000 0000 0000 0000 0000 0000  G...............
    0x0020:  0000 0000 0000 0000 0000 cca0 c287

And I can see it show up on Neutron:

root@neutron1:~# tcpdump -e -n -i enp3s0f0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp3s0f0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:12:26.186013 00:1f:d0:a0:e2:22 > 01:00:5e:00:00:fb, ethertype IPv4 (0x0800), length 120: 10.0.0.14.5353 > 224.0.0.251.5353: 0 [2q] SRV (QM)? nas-01-5A-EB (AFP)._afpovertcp._tcp.local. A (QM)? nas-01-5A-EB.local. (78)
11:12:26.187707 00:0d:a2:01:5a:eb > 01:00:5e:00:00:fb, ethertype IPv4 (0x0800), length 144: 10.0.0.3.5353 > 224.0.0.251.5353: 0*- [0q] 2/0/0 (Cache flush) A 10.0.0.3, (Cache flush) SRV nas-01-5A-EB.local.:548 0 0 (102)
11:12:26.276746 00:a0:d1:ea:dd:ed > 00:00:c9:b0:47:9e, ethertype IPv4 (0x0800), length 148: 10.0.1.35.35903 > 10.0.1.21.4789: VXLAN, flags [I] (0x08), vni 43
fa:16:3e:bc:61:e3 > fa:16:3e:92:23:f9, ethertype IPv4 (0x0800), length 98: 192.168.4.181 > 172.16.10.9: ICMP echo request, id 2715, seq 226, length 64
11:12:26.301940 f4:f2:6d:79:cf:64 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 215: 10.0.0.1.34678 > 255.255.255.255.7437: UDP, length 173
11:12:26.846202 00:01:e8:82:26:be > 01:80:c2:00:00:00, 802.3, length 39: LLC, dsap STP (0x42) Individual, ssap STP (0x42) Command, ctrl 0x03: STP 802.1w, Rapid STP, Flags [Proposal, Learn, Forward, Agreement], bridge-id 8000.00:01:e8:82:26:bc.80b2, length 43
11:12:27.276992 00:a0:d1:ea:dd:ed > 00:00:c9:b0:47:9e, ethertype IPv4 (0x0800), length 148: 10.0.1.35.35903 > 10.0.1.21.4789: VXLAN, flags [I] (0x08), vni 43
fa:16:3e:bc:61:e3 > fa:16:3e:92:23:f9, ethertype IPv4 (0x0800), length 98: 192.168.4.181 > 172.16.10.9: ICMP echo request, id 2715, seq 227, length 64
11:12:28.276927 00:a0:d1:ea:dd:ed > 00:00:c9:b0:47:9e, ethertype IPv4 (0x0800), length 148: 10.0.1.35.35903 > 10.0.1.21.4789: VXLAN, flags [I] (0x08), vni 43
fa:16:3e:bc:61:e3 > fa:16:3e:92:23:f9, ethertype IPv4 (0x0800), length 98: 192.168.4.181 > 172.16.10.9: ICMP echo request, id 2715, seq 228, length 64

Security group rules for ping and ssh are in the default security group as 0.0.0.0/0

Any ideas as to what I'm missing? Thanks in advance!