I'm running OpenStack, and I'm having trouble accessing my instances from floating IPs, from anywhere except the network controller node.
I've got a Folsom deployment with FlatDHCP, not running multi-host, running on Ubuntu 12.04.
As an example, here's a running instance with a fixed IP of 10.40.0.2 and a floating IP of 10.20.0.3:
$ nova list
+-------+---------+--------+------------------------------+
| ID | Name | Status | Networks |
+-------+---------+--------+------------------------------+
| 3d292 | quantal | ACTIVE | private=10.40.0.2, 10.20.0.3 |
+-------+---------+--------+------------------------------+
If I'm logged into the controller, I can ping and ssh to the VM instance from either of the IPs. However, I cannot ping or ssh to the instance from an external machine.
If I try to ping from my laptop (192.168.3.8), and I do a tcpdump on the public interface (eth3), I can see the request and reply:
# tcpdump -i eth3 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth3, link-type EN10MB (Ethernet), capture size 65535 bytes
17:26:54.004746 IP 192.168.3.8 > 10.20.0.3: ICMP echo request, id 47116, seq 0, length 64
17:26:54.005383 IP 10.20.0.3 > 192.168.3.8: ICMP echo reply, id 47116, seq 0, length 64
However, the ICMP reply packets don't get back to my laptop. In fact, if I log in to the router/firewall (Cisco ASA 5500), it doesn't see the ICMP reply packets either if I do a packet capture. However, it doesn't seem to be filtering the packets out. It's as if they just aren't reach the ASA. I also can't ping the 10.20.0.3 interface from the ASA.
The controller is connected directly to the ASA, so the issue seems to be either on the controller node or the ASA.
Even though tcpdump shows the reply packets going out, is it possible that they are being dropped instead of leaving the controller? If so, would this be because of iptables, or due to something else?
Output of iptables-save is in a github gist.
$ ip addr show eth3
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 33:44:55:66:77:88 brd ff:ff:ff:ff:ff:ff
inet 10.20.0.2/24 brd 10.20.0.255 scope global eth3
inet 10.20.0.3/32 scope global eth3
inet 10.20.0.4/32 scope global eth3
inet 10.20.0.5/32 scope global eth3
inet6 fe80::6273:5cff:fe68:b4b7/64 scope link
valid_lft forever preferred_lft forever
Best Answer
You may need to set-up some security-rules as described [here](http://docs.openstack.org/trunk/openstack-network/admin/content/enabling_ping_and_ssh.html}.
You may also set-up the rules through the Horizon Web interface.