git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Virtual Router not accepting SSH connections from CloudStack Management server


Hi Cristian,

That is correct, ssh is only possible to system VMs on port 3922.  It is passwordless, you must use the ssh keys which are stored on the management server

paul.angus@xxxxxxxxxxxxx 
www.shapeblue.com
Amadeus House, Floral Street, London  WC2E 9DPUK
@shapeblue
  
 


-----Original Message-----
From: cristian.c@istream.today <cristian.c@istream.today> 
Sent: 08 October 2018 12:13
To: users@xxxxxxxxxxxxxxxxxxxxx
Subject: RE: Virtual Router not accepting SSH connections from CloudStack Management server

VMware (on the end of this mail, you can see the full setup )

-----Original Message-----
From: Rafael Weingärtner <rafaelweingartner@xxxxxxxxx>
Sent: Monday, October 8, 2018 1:20 PM
To: users <users@xxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Virtual Router not accepting SSH connections from CloudStack Management server

What hypervisor do you use?

On Mon, Oct 8, 2018 at 4:53 AM <cristian.c@istream.today> wrote:

> Hello folks,
>
>
>
>                    Like I told in my previous email, my virtual router 
> is not accepting SSH connection from management server.. or any other server.
> What I have found is that my default iptables rule looks incorrect for 
> me, accepting connection on 3922 only for eth1. :
>
>
>
>    51  2408 ACCEPT     tcp  --  eth0   *       0.0.0.0/0
> 158.69.17.226        tcp dpt:53
>
> 403K   30M ACCEPT     udp  --  eth0   *       0.0.0.0/0
> 158.69.17.226        udp dpt:53
>
> 13473 4411K ACCEPT     udp  --  eth0   *       0.0.0.0/0
> 0.0.0.0/0            udp dpt:67
>
> 9421K  982M NETWORK_STATS  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>     0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0
> 0.0.0.0/0            tcp dpt:3922 state NEW,ESTABLISHED
>
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0
> 224.0.0.18
>
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0
> 225.0.0.50
>
> 7270K  821M ACCEPT     all  --  eth0   *       0.0.0.0/0
> 0.0.0.0/0            state RELATED,ESTABLISHED
>
> 396K   20M ACCEPT     icmp --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>     0     0 ACCEPT     all  --  lo     *       0.0.0.0/0
> 0.0.0.0/0
>
>
>
>             Router interface  :
>
>
>
> root@r-2055-VM:~# ip a
>
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
> group default qlen 1
>
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>
>     inet 127.0.0.1/8 scope host lo
>
>        valid_lft forever preferred_lft forever
>
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
> state UP group default qlen 1000
>
>     link/ether 1e:00:85:00:00:33 brd ff:ff:ff:ff:ff:ff
>
>     inet 158.xx.xx.226/28 brd 158.69.17.239 scope global eth0
>
>        valid_lft forever preferred_lft forever
>
>     inet 167. xx.xx.246/28 brd 167.114.12.255 scope global eth0
>
>        valid_lft forever preferred_lft forever
>
>     inet 149. xx.xx.80/27 brd 149.56.173.95 scope global eth0
>
>        valid_lft forever preferred_lft forever
>
>     inet 192. xx.xx.79/26 brd 192.99.175.127 scope global eth0
>
>        valid_lft forever preferred_lft forever
>
>     inet 198. xx.xx.162/27 brd 198.50.180.191 scope global eth0
>
>        valid_lft forever preferred_lft forever
>
>     inet 149. xx.xx.99/27 brd 149.56.254.127 scope global eth0
>
>        valid_lft forever preferred_lft forever
>
>     inet 144. xx.xx.199/27 brd 144.217.38.223 scope global eth0
>
>        valid_lft forever preferred_lft forever
>
>     inet 144. xx.xx.177/27 brd 144.217.178.191 scope global eth0
>
>        valid_lft forever preferred_lft forever
>
>     inet 66. xx.xx.133/27 brd 66.70.150.159 scope global eth0
>
>        valid_lft forever preferred_lft forever
>
> 3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group 
> default qlen 1000
>
>     link/ether 02:00:06:0b:00:dc brd ff:ff:ff:ff:ff:ff
>
>
>
>
>
> After adding the following rule : iptables -A INPUT -p tcp --dport
> 3922 -j ACCEPT, everything works till next restart ( or reloading the 
> iptables ) is this a bug? Any suggestions?
>
>
>
>
>
>
>
> ===============================
>
> Additional  info from previous mail:
>
>
>
>
>
>          Current environment : CloudStack 4.11.1 (shapeblue) + VMware 
> 5.5, Local storage, Basic Networking.  ( this is an old environment, 4.5.2, .
> 4.9, 4.11.1 )
>
>
>
>          Right now I get the following error :  
> deployedCheckSshCommand)
> (logid:236afb1a) Could not connect to 149.xxx.xx.53 due to
> java.net.ConnectException: Connection timed out, my router is stuck in 
> starting mode.
>
>
>
>          After testing manually I saw that I'm not able to connect to 
> VR by using SSH (management -> virtual router ) I was able to ping, 
> telnet on 80 but not able to connect on 3922 . :
>
>
>
>          [root@cloud-emea ~]# ping 149.xxx.xx.53
>
> PING 149.xxx.xx.53 (149.xxx.xx.53) 56(84) bytes of data.
>
> 64 bytes from 149.xxx.xx.53: icmp_seq=1 ttl=63 time=1.83 ms
>
> ^C
>
> --- 149.xxx.xx.53ping statistics ---
>
> 1 packets transmitted, 1 received, 0% packet loss, time 932ms
>
> rtt min/avg/max/mdev = 1.832/1.832/1.832/0.000 ms
>
> [root@cloud-emea ~]# telnet 149.xxx.xx.5380
>
> Trying 149.xxx.xx.53...
>
> Connected to 149.xxx.xx.53.
>
> Escape character is '^]'.
>
> ^]
>
> telnet> quit
>
> Connection closed.
>
> [root@cloud-emea ~]# telnet 149.xxx.xx.53 3922
>
> Trying 149.xxx.xx.53...
>
>
>
>
>
>     I come with the idea connect on VR by using console and add the 
> following firewall rule : iptables -A INPUT -p tcp -m state --state 
> NEW --dport 3922 -j ACCEPT, my problem was "fixed" but after sometime 
> I have the same issue again, for example in case of my router is 
> destroyed.
>
>
>
>
>
> Thank you!
>
> Cristian
>
>
>
>
>
>

--
Rafael Weingärtner