Config public network without VLAN(error:no route to the host)

[Lu Heng <h....@anytimechinese.com>]

Hi

We have following setup

management network(public IP range, 123.123.123.0/24)
storage network(private IP range 10.2.0.0/24)
public network(public IP range 111.111.111.0/24)

1 CP
1 Nic on management network
1 Nic on storage network

2*Host
1 Nic on management network
1 Nic on storage network
1 Nic on public network

1 storage
1 Nic on management network
1 nic on storage network

Management server has an NFS share which mounted on the storage network as
secondary storage.

So two questions:

1. for the public network, there is no vlan setup, the IP is direct routed
to both host server(they are on access point), the question is, while I
config the public network and guest network, it always ask for vlan number,
which we don't have.

2. We saw "no route to the host" error in all the template, ISOs, in which
we can not create any instance on.

Please, if any one have good suggestion in this network setup, how can we
do it.

-- 
--
Kind regards.
Lu

This transmission is intended solely for the addressee(s) shown above.
It may contain information that is privileged, confidential or
otherwise protected from disclosure. Any review, dissemination or use
of this transmission or its contents by persons other than the
intended addressee(s) is strictly prohibited. If you have received
this transmission in error, please notify this office immediately and
e-mail the original at the sender's address above by replying to this
message and including the text of the transmission received.

Re: Config public network without VLAN(error:no route to the host)

[Lu Heng <h....@anytimechinese.com>]

Hi

The first template(the centos template in which already downloaded
during preparation) is not even working, it also shows "no route to
the host"

On Wed, Jun 13, 2012 at 1:09 AM, Chiradeep Vittal
<Ch...@citrix.com> wrote:
> You might need to add the host ip of the web server where the templates
> are hosted to
> "secstorage.allowed.internal.sites" in the global configuration.
>
> On 6/12/12 3:50 PM, "Lu Heng" <h....@anytimechinese.com> wrote:
>
>>Hi
>>
>>Thanks for reply
>>
>>First, the SSVM can mount the secondary storage, and the ssvm-check.sh is
>>passed without error. the "no route to the host" problem still exsits.
>>
>>second, what should we fill in the vlan in the public network setup while
>>the IP is simply in the access port?
>>
>>and the iptable rule on the ssvm host:
>>Chain INPUT (policy ACCEPT)
>>target     prot opt source               destination
>>ACCEPT     gre  --  anywhere             anywhere
>>RH-Firewall-1-INPUT  all  --  anywhere             anywhere
>>
>>Chain FORWARD (policy ACCEPT)
>>target     prot opt source               destination
>>RH-Firewall-1-INPUT  all  --  anywhere             anywhere
>>
>>Chain OUTPUT (policy ACCEPT)
>>target     prot opt source               destination
>>
>>Chain RH-Firewall-1-INPUT (2 references)
>>target     prot opt source               destination
>>ACCEPT     tcp  --  anywhere             anywhere            tcp
>>dpts:5900:6099
>>ACCEPT     all  --  anywhere             anywhere
>>ACCEPT     icmp --  anywhere             anywhere            icmp any
>>ACCEPT     esp  --  anywhere             anywhere
>>ACCEPT     ah   --  anywhere             anywhere
>>ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
>>ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
>>ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
>>ACCEPT     udp  --  anywhere             anywhere            udp
>>dpt:bootps
>>ACCEPT     all  --  anywhere             anywhere            state
>>RELATED,ESTABLISHED
>>ACCEPT     udp  --  anywhere             anywhere            state NEW udp
>>dpt:ha-cluster
>>ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
>>dpt:ssh
>>ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
>>dpt:http
>>ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
>>dpt:https
>>REJECT     all  --  anywhere             anywhere            reject-with
>>icmp-host-prohibited
>>
>>Output of ip route on ssvm:
>>
>>204.13.152.2 via 46.136.128.1 dev eth1
>>10.2.0.0/24 dev eth3  proto kernel  scope link  src 10.2.0.189
>>123.123.123.0/24 dev eth1  proto kernel  scope link  src 123.123.123.9
>>111.111.111.0/24 dev eth2  proto kernel  scope link  src 111.111.111.18
>>169.254.0.0/16 dev eth0  proto kernel  scope link  src 169.254.2.83
>>default via 46.136.132.1 dev eth2
>>
>>On Wed, Jun 13, 2012 at 12:42 AM, Frank Zhang
>><Fr...@citrix.com>wrote:
>>
>>>
>>>
>>> > Hi
>>> >
>>> > We have following setup
>>> >
>>> > management network(public IP range, 123.123.123.0/24) storage
>>> > network(private IP range 10.2.0.0/24) public network(public IP range
>>> > 111.111.111.0/24)
>>> >
>>> > 1 CP
>>> > 1 Nic on management network
>>> > 1 Nic on storage network
>>> >
>>> > 2*Host
>>> > 1 Nic on management network
>>> > 1 Nic on storage network
>>> > 1 Nic on public network
>>> >
>>> > 1 storage
>>> > 1 Nic on management network
>>> > 1 nic on storage network
>>> >
>>> > Management server has an NFS share which mounted on the storage
>>> > network as secondary storage.
>>> >
>>> > So two questions:
>>> >
>>> > 1. for the public network, there is no vlan setup, the IP is direct
>>> routed to
>>> > both host server(they are on access point), the question is, while I
>>> config the
>>> > public network and guest network, it always ask for vlan number,
>>>which we
>>> > don't have.
>>>
>>> When you create zone, the vlan of public network is optional you should
>>>be
>>> able to
>>> Safely ignore it. What's exact error you suffered?
>>>
>>> >
>>> > 2. We saw "no route to the host" error in all the template, ISOs, in
>>> which we
>>> > can not create any instance on.
>>> >
>>> > Please, if any one have good suggestion in this network setup, how
>>>can we
>>> > do it.
>>>
>>> Do this:
>>> 1. login your SSVM
>>>        1.a go to the host where the SSVM is running
>>>        1.b ssh -i  /root/.ssh/ id_rsa.cloud  -p 30922
>>>link_local_ip_address
>>>               The link local ip address can be grabbed from SSVM page on
>>> UI which starts with 169
>>>        1.c try to mount your secondary storage to somewhere in your SSVM
>>>        1.d if 1.c won't work, check if you can mount secondary storage
>>>on
>>> the host where SSVM running. If failed, then it's your network issue
>>>        1.e. if it works on your host, try to figure out any ip table
>>>rules
>>> in host blocking NFS traffic
>>>        1.h check routes of SSVM by 'ip route', the traffic to secondary
>>> storage should go thru storage network which is (private IP range
>>> 10.2.0.0/24) in you case
>>>
>>> >
>>> > --
>>> > --
>>> > Kind regards.
>>> > Lu
>>> >
>>> > This transmission is intended solely for the addressee(s) shown above.
>>> > It may contain information that is privileged, confidential or
>>>otherwise
>>> > protected from disclosure. Any review, dissemination or use of this
>>> > transmission or its contents by persons other than the intended
>>> addressee(s)
>>> > is strictly prohibited. If you have received this transmission in
>>>error,
>>> please
>>> > notify this office immediately and e-mail the original at the sender's
>>> address
>>> > above by replying to this message and including the text of the
>>> transmission
>>> > received.
>>>
>>
>>
>>
>>--
>>--
>>Kind regards.
>>Lu
>>
>>This transmission is intended solely for the addressee(s) shown above.
>>It may contain information that is privileged, confidential or
>>otherwise protected from disclosure. Any review, dissemination or use
>>of this transmission or its contents by persons other than the
>>intended addressee(s) is strictly prohibited. If you have received
>>this transmission in error, please notify this office immediately and
>>e-mail the original at the sender's address above by replying to this
>>message and including the text of the transmission received.
>



-- 
--
Kind regards.
Lu

This transmission is intended solely for the addressee(s) shown above.
It may contain information that is privileged, confidential or
otherwise protected from disclosure. Any review, dissemination or use
of this transmission or its contents by persons other than the
intended addressee(s) is strictly prohibited. If you have received
this transmission in error, please notify this office immediately and
e-mail the original at the sender's address above by replying to this
message and including the text of the transmission received.

Re: Config public network without VLAN(error:no route to the host)

[Lu Heng <h....@anytimechinese.com>]

Hi

I think the question come down to:

If we have advanced zone setup( in which we have different NIC for
each zone, storage, public etc), How can we config a public network
direct attached to the guest network(so the guest network don't have
private IP but direct public IP) without using VLAN.

Our vendor are not willing give us VLAN ID so that we can not really use it.

On Wed, Jun 13, 2012 at 7:09 PM, Frank Zhang <Fr...@citrix.com> wrote:
> I think we don't allow 0.0.0.0/32 anymore, I received a bug not allowing this in internal download site as it will change the default route
>
>> -----Original Message-----
>> From: Chiradeep Vittal
>> Sent: Tuesday, June 12, 2012 6:37 PM
>> To: cloudstack-dev@incubator.apache.org
>> Cc: cloudstack-dev@incubator.apache.org; Frank Zhang
>> Subject: Re: Config public network without VLAN(error:no route to the host)
>>
>> This is effect of the allowed internal sites configuration.  It is expected that
>> the management (eth1) ip is RFC 1918 (it is a waste of a perfectly usable ipv4).
>> Since end users can inject any URL for template download they can probe
>> the management network. This is why there is a firewall rule that prevents
>> http(s) downloads over eth1. If you know what you are doing the config flag
>> lets you override this behavior. You can put 0.0.0.0/32 there for example.
>>
>> All system vms have their publicly routable ip address on eth2 and the
>> default route is via eth2. Not sure how eth1 landed up as the default nic in
>> your case.
>>
>> --
>> Chiradeep
>>
>> On Jun 12, 2012, at 18:13, "Anthony Xu" <Xu...@citrix.com> wrote:
>>
>> >> 111.111.111.0/24 dev eth2  proto kernel  scope link  src
>> >> 111.111.111.18 default via 46.136.132.1 dev eth2
>> >
>> > Hi Heng,
>> >
>> > The public ip address for SSVM is 111.111.111.18, the default gateway
>> > is 46.136.132.1, Is 111.111.111.18 and 46.136.132.1 in the same broadcast
>> domain?
>> >
>> > If not, it won't work, because 111.111.111.18 cannot get mac of
>> 46.136.132.1, then it cannot reach 46.136.132.1, package cannot go out.
>> > Normally , in this case, the gateway presumably like 111.111.111.1.
>> >
>> >
>> > Regards,
>> > Anthony
>> >
>> >
>> >
>> >> -----Original Message-----
>> >> From: Lu Heng [mailto:h.lu@anytimechinese.com]
>> >> Sent: Tuesday, June 12, 2012 5:35 PM
>> >> To: Frank Zhang
>> >> Cc: cloudstack-dev@incubator.apache.org
>> >> Subject: Re: Config public network without VLAN(error:no route to the
>> >> host)
>> >>
>> >> Hi
>> >>
>> >> I think I know where is the problem ,seems the SSVM can not visit
>> >> outside network. it can ping the public IP address within the range,
>> >> but it can not access anything outside of the three network range
>> >> which is listed below as well as in the first Email.
>> >>
>> >> So the real question is, in this network setup, how can we config
>> >> cloudstack network?
>> >>
>> >> " Hi
>> >>
>> >> We have following setup
>> >>
>> >> management network(public IP range, 123.123.123.0/24) storage
>> >> network(private IP range 10.2.0.0/24) public network(public IP range
>> >> 111.111.111.0/24)
>> >>
>> >> 1 CP
>> >> 1 Nic on management network
>> >> 1 Nic on storage network
>> >>
>> >> 2*Host
>> >> 1 Nic on management network
>> >> 1 Nic on storage network
>> >> 1 Nic on public network
>> >>
>> >> 1 storage
>> >> 1 Nic on management network
>> >> 1 nic on storage network
>> >>
>> >> Management server has an NFS share which mounted on the storage
>> >> network as secondary storage.
>> >>
>> >> So two questions:
>> >>
>> >> 1. for the public network, there is no vlan setup, the IP is direct
>> >> routed to both host server(they are on access point), the question
>> >> is, while I config the public network and guest network, it always
>> >> ask for vlan number, which we don't have.
>> >>
>> >> 2. We saw "no route to the host" error in all the template, ISOs, in
>> >> which we can not create any instance on.
>> >>
>> >> Please, if any one have good suggestion in this network setup, how
>> >> can we do it."
>> >>
>> >> On Wed, Jun 13, 2012 at 2:31 AM, Lu Heng <h....@anytimechinese.com>
>> >> wrote:
>> >>
>> >>> Hi
>> >>>
>> >>> Thanks for reply. I just added an ISO with following URL
>> >>>
>> >>>
>> >>> http://mirror.stanford.edu/yum/pub/centos/6.2/isos/x86_64/CentOS-
>> 6.2
>> >>> -
>> >> x86_64-LiveDVD.iso
>> >>>
>> >>> It still shows no route to host, and for the default template(centos
>> >> 5.6),
>> >>> I saw the download complete when I do the preparation for secondary
>> >> storage.
>> >>>
>> >>>
>> >>> On Wed, Jun 13, 2012 at 2:24 AM, Frank Zhang
>> >> <Fr...@citrix.com>wrote:
>> >>>
>> >>>> Sorry for misleading before. The "no route to host" means
>> >>>> CloudStack
>> >> fail
>> >>>> to download template to secondary storage because it cannot access
>> >> the URL
>> >>>> of template.
>> >>>>
>> >>>>
>> >>>>>> It does download successfully during the setup.
>> >>>> So you have seen it's state in Ready sometimes before? And then it
>> >>>> changed to "No route to host"?
>> >>>> Emm this sounds weird to me. once the template is downloaded to
>> >> secondary
>> >>>> storage successfully, its state changes to Ready permanently in
>> >> database.
>> >>>> Is the centos template you mentioned the builtin template
>> >> automatically
>> >>>> downloaded by CloudStack after SSVM is running?
>> >>>> Have you tried wget in SSVM?
>> >>>>
>> >>>>>> And I have pasted the traffic rule on last Email, the both port
>> >> are
>> >>>> open.
>> >>>>
>> >>>> And If I mount the secondary storage to the SSVM, and write on it,
>> >> there
>> >>>> is no error with "no route to host"
>> >>>> On Wed, Jun 13, 2012 at 2:13 AM, Frank Zhang
>> >>>> <Fr...@citrix.com>
>> >>>> wrote:
>> >>>>> Hi
>> >>>>>
>> >>>>> please refer to my reply
>> >>>>>
>> >>>>> "The first template(the centos template in which already
>> >> downloaded
>> >>>> during
>> >>>>> preparation) is not even working, it also shows "no route to the
>> >> host""
>> >>>> No that means it didn't download successfully.  Login SSVM, try
>> >>>> downloading the template you want by wget.
>> >>>> You should face the problem of "no route to host", as
>> >>>> aforementioned, there is some firewall rules blocking the traffic.
>> >>>> Given the default centos failed to download, I suspect your 443
>> >>>> port
>> >> or
>> >>>> 80 port to public network is blocked.
>> >>>>
>> >>>>>
>> >>>>> On Wed, Jun 13, 2012 at 1:57 AM, Chiradeep Vittal <
>> >>>>> Chiradeep.Vittal@citrix.com> wrote:
>> >>>>>
>> >>>>>> Because it results in the suppression of the initial ARP request
>> >> to
>> >>>>>> the gateway. This is how the Linux network stack reports an ARP
>> >> issue.
>> >>>>>>
>> >>>>>> --
>> >>>>>> Chiradeep
>> >>>>>>
>> >>>>>> On Jun 12, 2012, at 16:31, "David Nalley" <da...@gnsa.us> wrote:
>> >>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> On Jun 12, 2012, at 7:09 PM, Chiradeep Vittal <
>> >>>>>> Chiradeep.Vittal@citrix.com> wrote:
>> >>>>>>>
>> >>>>>>>> You might need to add the host ip of the web server where the
>> >>>>>>>> templates are hosted to "secstorage.allowed.internal.sites"
>> >> in the
>> >>>>>>>> global configuration.
>> >>>>>>>
>> >>>>>>> Why would lack of this result in no route to host. Firewall
>> >> issues
>> >>>>>>> would
>> >>>>>> die silently without that error. It isn't even trying.
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>>
>> >>>>>>>> On 6/12/12 3:50 PM, "Lu Heng" <h....@anytimechinese.com>
>> wrote:
>> >>>>>>>>
>> >>>>>>>>> Hi
>> >>>>>>>>>
>> >>>>>>>>> Thanks for reply
>> >>>>>>>>>
>> >>>>>>>>> First, the SSVM can mount the secondary storage, and the
>> >>>>>>>>> ssvm-check.sh
>> >>>>>> is
>> >>>>>>>>> passed without error. the "no route to the host" problem
>> >> still
>> >>>> exsits.
>> >>>>>>>>>
>> >>>>>>>>> second, what should we fill in the vlan in the public
>> >> network
>> >>>>>>>>> setup
>> >>>>>> while
>> >>>>>>>>> the IP is simply in the access port?
>> >>>>>>>>>
>> >>>>>>>>> and the iptable rule on the ssvm host:
>> >>>>>>>>> Chain INPUT (policy ACCEPT)
>> >>>>>>>>> target     prot opt source               destination
>> >>>>>>>>> ACCEPT     gre  --  anywhere             anywhere
>> >>>>>>>>> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
>> >>>>>>>>>
>> >>>>>>>>> Chain FORWARD (policy ACCEPT)
>> >>>>>>>>> target     prot opt source               destination
>> >>>>>>>>> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
>> >>>>>>>>>
>> >>>>>>>>> Chain OUTPUT (policy ACCEPT)
>> >>>>>>>>> target     prot opt source               destination
>> >>>>>>>>>
>> >>>>>>>>> Chain RH-Firewall-1-INPUT (2 references)
>> >>>>>>>>> target     prot opt source               destination
>> >>>>>>>>> ACCEPT     tcp  --  anywhere             anywhere
>> >> tcp
>> >>>>>>>>> dpts:5900:6099
>> >>>>>>>>> ACCEPT     all  --  anywhere             anywhere
>> >>>>>>>>> ACCEPT     icmp --  anywhere             anywhere
>> >> icmp
>> >>>> any
>> >>>>>>>>> ACCEPT     esp  --  anywhere             anywhere
>> >>>>>>>>> ACCEPT     ah   --  anywhere             anywhere
>> >>>>>>>>> ACCEPT     udp  --  anywhere             224.0.0.251
>> >> udp
>> >>>>>> dpt:mdns
>> >>>>>>>>> ACCEPT     udp  --  anywhere             anywhere
>> >> udp
>> >>>>>> dpt:ipp
>> >>>>>>>>> ACCEPT     tcp  --  anywhere             anywhere
>> >> tcp
>> >>>>>> dpt:ipp
>> >>>>>>>>> ACCEPT     udp  --  anywhere             anywhere
>> >> udp
>> >>>>>>>>> dpt:bootps
>> >>>>>>>>> ACCEPT     all  --  anywhere             anywhere
>> >> state
>> >>>>>>>>> RELATED,ESTABLISHED
>> >>>>>>>>> ACCEPT     udp  --  anywhere             anywhere
>> >>>> state NEW
>> >>>>>> udp
>> >>>>>>>>> dpt:ha-cluster
>> >>>>>>>>> ACCEPT     tcp  --  anywhere             anywhere
>> >>>> state NEW
>> >>>>>> tcp
>> >>>>>>>>> dpt:ssh
>> >>>>>>>>> ACCEPT     tcp  --  anywhere             anywhere
>> >>>> state NEW
>> >>>>>> tcp
>> >>>>>>>>> dpt:http
>> >>>>>>>>> ACCEPT     tcp  --  anywhere             anywhere
>> >>>> state NEW
>> >>>>>> tcp
>> >>>>>>>>> dpt:https
>> >>>>>>>>> REJECT     all  --  anywhere             anywhere
>> >>>>>> reject-with
>> >>>>>>>>> icmp-host-prohibited
>> >>>>>>>>>
>> >>>>>>>>> Output of ip route on ssvm:
>> >>>>>>>>>
>> >>>>>>>>> 204.13.152.2 via 46.136.128.1 dev eth1
>> >>>>>>>>> 10.2.0.0/24 dev eth3  proto kernel  scope link  src
>> >> 10.2.0.189
>> >>>>>>>>> 123.123.123.0/24 dev eth1  proto kernel  scope link  src
>> >>>>>>>>> 123.123.123.9
>> >>>>>>>>> 111.111.111.0/24 dev eth2  proto kernel  scope link  src
>> >>>>>> 111.111.111.18
>> >>>>>>>>> 169.254.0.0/16 dev eth0  proto kernel  scope link  src
>> >>>>>>>>> 169.254.2.83 default via 46.136.132.1 dev eth2
>> >>>>>>>>>
>> >>>>>>>>> On Wed, Jun 13, 2012 at 12:42 AM, Frank Zhang
>> >>>>>>>>> <Fr...@citrix.com>wrote:
>> >>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>>> Hi
>> >>>>>>>>>>>
>> >>>>>>>>>>> We have following setup
>> >>>>>>>>>>>
>> >>>>>>>>>>> management network(public IP range, 123.123.123.0/24)
>> >> storage
>> >>>>>>>>>>> network(private IP range 10.2.0.0/24) public
>> >> network(public IP
>> >>>>>>>>>>> range
>> >>>>>>>>>>> 111.111.111.0/24)
>> >>>>>>>>>>>
>> >>>>>>>>>>> 1 CP
>> >>>>>>>>>>> 1 Nic on management network
>> >>>>>>>>>>> 1 Nic on storage network
>> >>>>>>>>>>>
>> >>>>>>>>>>> 2*Host
>> >>>>>>>>>>> 1 Nic on management network
>> >>>>>>>>>>> 1 Nic on storage network
>> >>>>>>>>>>> 1 Nic on public network
>> >>>>>>>>>>>
>> >>>>>>>>>>> 1 storage
>> >>>>>>>>>>> 1 Nic on management network
>> >>>>>>>>>>> 1 nic on storage network
>> >>>>>>>>>>>
>> >>>>>>>>>>> Management server has an NFS share which mounted on the
>> >>>>> storage
>> >>>>>>>>>>> network as secondary storage.
>> >>>>>>>>>>>
>> >>>>>>>>>>> So two questions:
>> >>>>>>>>>>>
>> >>>>>>>>>>> 1. for the public network, there is no vlan setup, the IP
>> >> is
>> >>>>>>>>>>> direct
>> >>>>>>>>>> routed to
>> >>>>>>>>>>> both host server(they are on access point), the question
>> >> is,
>> >>>>>>>>>>> while I
>> >>>>>>>>>> config the
>> >>>>>>>>>>> public network and guest network, it always ask for vlan
>> >> number,
>> >>>>>>>>>> which we
>> >>>>>>>>>>> don't have.
>> >>>>>>>>>>
>> >>>>>>>>>> When you create zone, the vlan of public network is
>> >> optional you
>> >>>>>> should
>> >>>>>>>>>> be
>> >>>>>>>>>> able to
>> >>>>>>>>>> Safely ignore it. What's exact error you suffered?
>> >>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>> 2. We saw "no route to the host" error in all the template,
>> >>>>>>>>>>> ISOs, in
>> >>>>>>>>>> which we
>> >>>>>>>>>>> can not create any instance on.
>> >>>>>>>>>>>
>> >>>>>>>>>>> Please, if any one have good suggestion in this network
>> >> setup,
>> >>>>>>>>>>> how
>> >>>>>>>>>> can we
>> >>>>>>>>>>> do it.
>> >>>>>>>>>>
>> >>>>>>>>>> Do this:
>> >>>>>>>>>> 1. login your SSVM
>> >>>>>>>>>>     1.a go to the host where the SSVM is running
>> >>>>>>>>>>     1.b ssh -i  /root/.ssh/ id_rsa.cloud  -p 30922
>> >>>>>>>>>> link_local_ip_address
>> >>>>>>>>>>            The link local ip address can be grabbed from
>> >> SSVM
>> >>>>>>>>>> page on UI which starts with 169
>> >>>>>>>>>>     1.c try to mount your secondary storage to somewhere
>> >> in your
>> >>>>> SSVM
>> >>>>>>>>>>     1.d if 1.c won't work, check if you can mount
>> >> secondary
>> >>>>>>>>>> storage on the host where SSVM running. If failed, then
>> >> it's your
>> >>>>>>>>>> network issue
>> >>>>>>>>>>     1.e. if it works on your host, try to figure out any
>> >> ip
>> >>>>>>>>>> table rules in host blocking NFS traffic
>> >>>>>>>>>>     1.h check routes of SSVM by 'ip route', the traffic to
>> >>>>>>>>>> secondary storage should go thru storage network which is
>> >>>>>>>>>> (private IP range
>> >>>>>>>>>> 10.2.0.0/24) in you case
>> >>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>> --
>> >>>>>>>>>>> --
>> >>>>>>>>>>> Kind regards.
>> >>>>>>>>>>> Lu
>> >>>>>>>>>>>
>> >>>>>>>>>>> This transmission is intended solely for the addressee(s)
>> >> shown
>> >>>>>> above.
>> >>>>>>>>>>> It may contain information that is privileged,
>> >> confidential or
>> >>>>>>>>>> otherwise
>> >>>>>>>>>>> protected from disclosure. Any review, dissemination or
>> >> use of
>> >>>>>>>>>>> this transmission or its contents by persons other than
>> >> the
>> >>>>>>>>>>> intended
>> >>>>>>>>>> addressee(s)
>> >>>>>>>>>>> is strictly prohibited. If you have received this
>> >> transmission
>> >>>>>>>>>>> in
>> >>>>>>>>>> error,
>> >>>>>>>>>> please
>> >>>>>>>>>>> notify this office immediately and e-mail the original at
>> >> the
>> >>>>>> sender's
>> >>>>>>>>>> address
>> >>>>>>>>>>> above by replying to this message and including the text
>> >> of the
>> >>>>>>>>>> transmission
>> >>>>>>>>>>> received.
>> >>>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>> --
>> >>>>>>>>> --
>> >>>>>>>>> Kind regards.
>> >>>>>>>>> Lu
>> >>>>>>>>>
>> >>>>>>>>> This transmission is intended solely for the addressee(s)
>> >> shown
>> >>>> above.
>> >>>>>>>>> It may contain information that is privileged, confidential
>> >> or
>> >>>>>>>>> otherwise protected from disclosure. Any review,
>> >> dissemination or
>> >>>>>>>>> use of this transmission or its contents by persons other
>> >> than the
>> >>>>>>>>> intended addressee(s) is strictly prohibited. If you have
>> >> received
>> >>>>>>>>> this transmission in error, please notify this office
>> >> immediately
>> >>>>>>>>> and e-mail the original at the sender's address above by
>> >> replying
>> >>>>>>>>> to this message and including the text of the transmission
>> >>>> received.
>> >>>>>>>>
>> >>>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> --
>> >>>>> --
>> >>>>> Kind regards.
>> >>>>> Lu
>> >>>>>
>> >>>>> This transmission is intended solely for the addressee(s) shown
>> >> above.
>> >>>>> It may contain information that is privileged, confidential or
>> >> otherwise
>> >>>>> protected from disclosure. Any review, dissemination or use of
>> >> this
>> >>>>> transmission or its contents by persons other than the intended
>> >>>> addressee(s)
>> >>>>> is strictly prohibited. If you have received this transmission in
>> >>>> error, please
>> >>>>> notify this office immediately and e-mail the original at the
>> >> sender's
>> >>>> address
>> >>>>> above by replying to this message and including the text of the
>> >>>> transmission
>> >>>>> received.
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> --
>> >>>> --
>> >>>> Kind regards.
>> >>>> Lu
>> >>>>
>> >>>> This transmission is intended solely for the addressee(s) shown
>> >> above.
>> >>>> It may contain information that is privileged, confidential or
>> >>>> otherwise protected from disclosure. Any review, dissemination or
>> >> use
>> >>>> of this transmission or its contents by persons other than the
>> >>>> intended addressee(s) is strictly prohibited. If you have received
>> >>>> this transmission in error, please notify this office immediately
>> >> and
>> >>>> e-mail the original at the sender's address above by replying to
>> >> this
>> >>>> message and including the text of the transmission received.
>> >>>>
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> --
>> >>> Kind regards.
>> >>> Lu
>> >>>
>> >>> This transmission is intended solely for the addressee(s) shown above.
>> >>> It may contain information that is privileged, confidential or
>> >>> otherwise protected from disclosure. Any review, dissemination or
>> >>> use of this transmission or its contents by persons other than the
>> >>> intended addressee(s) is strictly prohibited. If you have received
>> >>> this transmission in error, please notify this office immediately
>> >>> and e-mail the original at the sender's address above by replying to
>> >>> this message and including the text of the transmission received.
>> >>>
>> >>
>> >>
>> >>
>> >> --
>> >> --
>> >> Kind regards.
>> >> Lu
>> >>
>> >> This transmission is intended solely for the addressee(s) shown above.
>> >> It may contain information that is privileged, confidential or
>> >> otherwise protected from disclosure. Any review, dissemination or use
>> >> of this transmission or its contents by persons other than the
>> >> intended addressee(s) is strictly prohibited. If you have received
>> >> this transmission in error, please notify this office immediately and
>> >> e-mail the original at the sender's address above by replying to this
>> >> message and including the text of the transmission received.



-- 
--
Kind regards.
Lu

This transmission is intended solely for the addressee(s) shown above.
It may contain information that is privileged, confidential or
otherwise protected from disclosure. Any review, dissemination or use
of this transmission or its contents by persons other than the
intended addressee(s) is strictly prohibited. If you have received
this transmission in error, please notify this office immediately and
e-mail the original at the sender's address above by replying to this
message and including the text of the transmission received.

RE: Config public network without VLAN(error:no route to the host)

[Frank Zhang <Fr...@citrix.com>]

I think we don't allow 0.0.0.0/32 anymore, I received a bug not allowing this in internal download site as it will change the default route

> -----Original Message-----
> From: Chiradeep Vittal
> Sent: Tuesday, June 12, 2012 6:37 PM
> To: cloudstack-dev@incubator.apache.org
> Cc: cloudstack-dev@incubator.apache.org; Frank Zhang
> Subject: Re: Config public network without VLAN(error:no route to the host)
>
> This is effect of the allowed internal sites configuration.  It is expected that
> the management (eth1) ip is RFC 1918 (it is a waste of a perfectly usable ipv4).
> Since end users can inject any URL for template download they can probe
> the management network. This is why there is a firewall rule that prevents
> http(s) downloads over eth1. If you know what you are doing the config flag
> lets you override this behavior. You can put 0.0.0.0/32 there for example.
>
> All system vms have their publicly routable ip address on eth2 and the
> default route is via eth2. Not sure how eth1 landed up as the default nic in
> your case.
>
> --
> Chiradeep
>
> On Jun 12, 2012, at 18:13, "Anthony Xu" <Xu...@citrix.com> wrote:
>
> >> 111.111.111.0/24 dev eth2  proto kernel  scope link  src
> >> 111.111.111.18 default via 46.136.132.1 dev eth2
> >
> > Hi Heng,
> >
> > The public ip address for SSVM is 111.111.111.18, the default gateway
> > is 46.136.132.1, Is 111.111.111.18 and 46.136.132.1 in the same broadcast
> domain?
> >
> > If not, it won't work, because 111.111.111.18 cannot get mac of
> 46.136.132.1, then it cannot reach 46.136.132.1, package cannot go out.
> > Normally , in this case, the gateway presumably like 111.111.111.1.
> >
> >
> > Regards,
> > Anthony
> >
> >
> >
> >> -----Original Message-----
> >> From: Lu Heng [mailto:h.lu@anytimechinese.com]
> >> Sent: Tuesday, June 12, 2012 5:35 PM
> >> To: Frank Zhang
> >> Cc: cloudstack-dev@incubator.apache.org
> >> Subject: Re: Config public network without VLAN(error:no route to the
> >> host)
> >>
> >> Hi
> >>
> >> I think I know where is the problem ,seems the SSVM can not visit
> >> outside network. it can ping the public IP address within the range,
> >> but it can not access anything outside of the three network range
> >> which is listed below as well as in the first Email.
> >>
> >> So the real question is, in this network setup, how can we config
> >> cloudstack network?
> >>
> >> " Hi
> >>
> >> We have following setup
> >>
> >> management network(public IP range, 123.123.123.0/24) storage
> >> network(private IP range 10.2.0.0/24) public network(public IP range
> >> 111.111.111.0/24)
> >>
> >> 1 CP
> >> 1 Nic on management network
> >> 1 Nic on storage network
> >>
> >> 2*Host
> >> 1 Nic on management network
> >> 1 Nic on storage network
> >> 1 Nic on public network
> >>
> >> 1 storage
> >> 1 Nic on management network
> >> 1 nic on storage network
> >>
> >> Management server has an NFS share which mounted on the storage
> >> network as secondary storage.
> >>
> >> So two questions:
> >>
> >> 1. for the public network, there is no vlan setup, the IP is direct
> >> routed to both host server(they are on access point), the question
> >> is, while I config the public network and guest network, it always
> >> ask for vlan number, which we don't have.
> >>
> >> 2. We saw "no route to the host" error in all the template, ISOs, in
> >> which we can not create any instance on.
> >>
> >> Please, if any one have good suggestion in this network setup, how
> >> can we do it."
> >>
> >> On Wed, Jun 13, 2012 at 2:31 AM, Lu Heng <h....@anytimechinese.com>
> >> wrote:
> >>
> >>> Hi
> >>>
> >>> Thanks for reply. I just added an ISO with following URL
> >>>
> >>>
> >>> http://mirror.stanford.edu/yum/pub/centos/6.2/isos/x86_64/CentOS-
> 6.2
> >>> -
> >> x86_64-LiveDVD.iso
> >>>
> >>> It still shows no route to host, and for the default template(centos
> >> 5.6),
> >>> I saw the download complete when I do the preparation for secondary
> >> storage.
> >>>
> >>>
> >>> On Wed, Jun 13, 2012 at 2:24 AM, Frank Zhang
> >> <Fr...@citrix.com>wrote:
> >>>
> >>>> Sorry for misleading before. The "no route to host" means
> >>>> CloudStack
> >> fail
> >>>> to download template to secondary storage because it cannot access
> >> the URL
> >>>> of template.
> >>>>
> >>>>
> >>>>>> It does download successfully during the setup.
> >>>> So you have seen it's state in Ready sometimes before? And then it
> >>>> changed to "No route to host"?
> >>>> Emm this sounds weird to me. once the template is downloaded to
> >> secondary
> >>>> storage successfully, its state changes to Ready permanently in
> >> database.
> >>>> Is the centos template you mentioned the builtin template
> >> automatically
> >>>> downloaded by CloudStack after SSVM is running?
> >>>> Have you tried wget in SSVM?
> >>>>
> >>>>>> And I have pasted the traffic rule on last Email, the both port
> >> are
> >>>> open.
> >>>>
> >>>> And If I mount the secondary storage to the SSVM, and write on it,
> >> there
> >>>> is no error with "no route to host"
> >>>> On Wed, Jun 13, 2012 at 2:13 AM, Frank Zhang
> >>>> <Fr...@citrix.com>
> >>>> wrote:
> >>>>> Hi
> >>>>>
> >>>>> please refer to my reply
> >>>>>
> >>>>> "The first template(the centos template in which already
> >> downloaded
> >>>> during
> >>>>> preparation) is not even working, it also shows "no route to the
> >> host""
> >>>> No that means it didn't download successfully.  Login SSVM, try
> >>>> downloading the template you want by wget.
> >>>> You should face the problem of "no route to host", as
> >>>> aforementioned, there is some firewall rules blocking the traffic.
> >>>> Given the default centos failed to download, I suspect your 443
> >>>> port
> >> or
> >>>> 80 port to public network is blocked.
> >>>>
> >>>>>
> >>>>> On Wed, Jun 13, 2012 at 1:57 AM, Chiradeep Vittal <
> >>>>> Chiradeep.Vittal@citrix.com> wrote:
> >>>>>
> >>>>>> Because it results in the suppression of the initial ARP request
> >> to
> >>>>>> the gateway. This is how the Linux network stack reports an ARP
> >> issue.
> >>>>>>
> >>>>>> --
> >>>>>> Chiradeep
> >>>>>>
> >>>>>> On Jun 12, 2012, at 16:31, "David Nalley" <da...@gnsa.us> wrote:
> >>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> On Jun 12, 2012, at 7:09 PM, Chiradeep Vittal <
> >>>>>> Chiradeep.Vittal@citrix.com> wrote:
> >>>>>>>
> >>>>>>>> You might need to add the host ip of the web server where the
> >>>>>>>> templates are hosted to "secstorage.allowed.internal.sites"
> >> in the
> >>>>>>>> global configuration.
> >>>>>>>
> >>>>>>> Why would lack of this result in no route to host. Firewall
> >> issues
> >>>>>>> would
> >>>>>> die silently without that error. It isn't even trying.
> >>>>>>>
> >>>>>>>
> >>>>>>>>
> >>>>>>>> On 6/12/12 3:50 PM, "Lu Heng" <h....@anytimechinese.com>
> wrote:
> >>>>>>>>
> >>>>>>>>> Hi
> >>>>>>>>>
> >>>>>>>>> Thanks for reply
> >>>>>>>>>
> >>>>>>>>> First, the SSVM can mount the secondary storage, and the
> >>>>>>>>> ssvm-check.sh
> >>>>>> is
> >>>>>>>>> passed without error. the "no route to the host" problem
> >> still
> >>>> exsits.
> >>>>>>>>>
> >>>>>>>>> second, what should we fill in the vlan in the public
> >> network
> >>>>>>>>> setup
> >>>>>> while
> >>>>>>>>> the IP is simply in the access port?
> >>>>>>>>>
> >>>>>>>>> and the iptable rule on the ssvm host:
> >>>>>>>>> Chain INPUT (policy ACCEPT)
> >>>>>>>>> target     prot opt source               destination
> >>>>>>>>> ACCEPT     gre  --  anywhere             anywhere
> >>>>>>>>> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
> >>>>>>>>>
> >>>>>>>>> Chain FORWARD (policy ACCEPT)
> >>>>>>>>> target     prot opt source               destination
> >>>>>>>>> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
> >>>>>>>>>
> >>>>>>>>> Chain OUTPUT (policy ACCEPT)
> >>>>>>>>> target     prot opt source               destination
> >>>>>>>>>
> >>>>>>>>> Chain RH-Firewall-1-INPUT (2 references)
> >>>>>>>>> target     prot opt source               destination
> >>>>>>>>> ACCEPT     tcp  --  anywhere             anywhere
> >> tcp
> >>>>>>>>> dpts:5900:6099
> >>>>>>>>> ACCEPT     all  --  anywhere             anywhere
> >>>>>>>>> ACCEPT     icmp --  anywhere             anywhere
> >> icmp
> >>>> any
> >>>>>>>>> ACCEPT     esp  --  anywhere             anywhere
> >>>>>>>>> ACCEPT     ah   --  anywhere             anywhere
> >>>>>>>>> ACCEPT     udp  --  anywhere             224.0.0.251
> >> udp
> >>>>>> dpt:mdns
> >>>>>>>>> ACCEPT     udp  --  anywhere             anywhere
> >> udp
> >>>>>> dpt:ipp
> >>>>>>>>> ACCEPT     tcp  --  anywhere             anywhere
> >> tcp
> >>>>>> dpt:ipp
> >>>>>>>>> ACCEPT     udp  --  anywhere             anywhere
> >> udp
> >>>>>>>>> dpt:bootps
> >>>>>>>>> ACCEPT     all  --  anywhere             anywhere
> >> state
> >>>>>>>>> RELATED,ESTABLISHED
> >>>>>>>>> ACCEPT     udp  --  anywhere             anywhere
> >>>> state NEW
> >>>>>> udp
> >>>>>>>>> dpt:ha-cluster
> >>>>>>>>> ACCEPT     tcp  --  anywhere             anywhere
> >>>> state NEW
> >>>>>> tcp
> >>>>>>>>> dpt:ssh
> >>>>>>>>> ACCEPT     tcp  --  anywhere             anywhere
> >>>> state NEW
> >>>>>> tcp
> >>>>>>>>> dpt:http
> >>>>>>>>> ACCEPT     tcp  --  anywhere             anywhere
> >>>> state NEW
> >>>>>> tcp
> >>>>>>>>> dpt:https
> >>>>>>>>> REJECT     all  --  anywhere             anywhere
> >>>>>> reject-with
> >>>>>>>>> icmp-host-prohibited
> >>>>>>>>>
> >>>>>>>>> Output of ip route on ssvm:
> >>>>>>>>>
> >>>>>>>>> 204.13.152.2 via 46.136.128.1 dev eth1
> >>>>>>>>> 10.2.0.0/24 dev eth3  proto kernel  scope link  src
> >> 10.2.0.189
> >>>>>>>>> 123.123.123.0/24 dev eth1  proto kernel  scope link  src
> >>>>>>>>> 123.123.123.9
> >>>>>>>>> 111.111.111.0/24 dev eth2  proto kernel  scope link  src
> >>>>>> 111.111.111.18
> >>>>>>>>> 169.254.0.0/16 dev eth0  proto kernel  scope link  src
> >>>>>>>>> 169.254.2.83 default via 46.136.132.1 dev eth2
> >>>>>>>>>
> >>>>>>>>> On Wed, Jun 13, 2012 at 12:42 AM, Frank Zhang
> >>>>>>>>> <Fr...@citrix.com>wrote:
> >>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>> Hi
> >>>>>>>>>>>
> >>>>>>>>>>> We have following setup
> >>>>>>>>>>>
> >>>>>>>>>>> management network(public IP range, 123.123.123.0/24)
> >> storage
> >>>>>>>>>>> network(private IP range 10.2.0.0/24) public
> >> network(public IP
> >>>>>>>>>>> range
> >>>>>>>>>>> 111.111.111.0/24)
> >>>>>>>>>>>
> >>>>>>>>>>> 1 CP
> >>>>>>>>>>> 1 Nic on management network
> >>>>>>>>>>> 1 Nic on storage network
> >>>>>>>>>>>
> >>>>>>>>>>> 2*Host
> >>>>>>>>>>> 1 Nic on management network
> >>>>>>>>>>> 1 Nic on storage network
> >>>>>>>>>>> 1 Nic on public network
> >>>>>>>>>>>
> >>>>>>>>>>> 1 storage
> >>>>>>>>>>> 1 Nic on management network
> >>>>>>>>>>> 1 nic on storage network
> >>>>>>>>>>>
> >>>>>>>>>>> Management server has an NFS share which mounted on the
> >>>>> storage
> >>>>>>>>>>> network as secondary storage.
> >>>>>>>>>>>
> >>>>>>>>>>> So two questions:
> >>>>>>>>>>>
> >>>>>>>>>>> 1. for the public network, there is no vlan setup, the IP
> >> is
> >>>>>>>>>>> direct
> >>>>>>>>>> routed to
> >>>>>>>>>>> both host server(they are on access point), the question
> >> is,
> >>>>>>>>>>> while I
> >>>>>>>>>> config the
> >>>>>>>>>>> public network and guest network, it always ask for vlan
> >> number,
> >>>>>>>>>> which we
> >>>>>>>>>>> don't have.
> >>>>>>>>>>
> >>>>>>>>>> When you create zone, the vlan of public network is
> >> optional you
> >>>>>> should
> >>>>>>>>>> be
> >>>>>>>>>> able to
> >>>>>>>>>> Safely ignore it. What's exact error you suffered?
> >>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> 2. We saw "no route to the host" error in all the template,
> >>>>>>>>>>> ISOs, in
> >>>>>>>>>> which we
> >>>>>>>>>>> can not create any instance on.
> >>>>>>>>>>>
> >>>>>>>>>>> Please, if any one have good suggestion in this network
> >> setup,
> >>>>>>>>>>> how
> >>>>>>>>>> can we
> >>>>>>>>>>> do it.
> >>>>>>>>>>
> >>>>>>>>>> Do this:
> >>>>>>>>>> 1. login your SSVM
> >>>>>>>>>>     1.a go to the host where the SSVM is running
> >>>>>>>>>>     1.b ssh -i  /root/.ssh/ id_rsa.cloud  -p 30922
> >>>>>>>>>> link_local_ip_address
> >>>>>>>>>>            The link local ip address can be grabbed from
> >> SSVM
> >>>>>>>>>> page on UI which starts with 169
> >>>>>>>>>>     1.c try to mount your secondary storage to somewhere
> >> in your
> >>>>> SSVM
> >>>>>>>>>>     1.d if 1.c won't work, check if you can mount
> >> secondary
> >>>>>>>>>> storage on the host where SSVM running. If failed, then
> >> it's your
> >>>>>>>>>> network issue
> >>>>>>>>>>     1.e. if it works on your host, try to figure out any
> >> ip
> >>>>>>>>>> table rules in host blocking NFS traffic
> >>>>>>>>>>     1.h check routes of SSVM by 'ip route', the traffic to
> >>>>>>>>>> secondary storage should go thru storage network which is
> >>>>>>>>>> (private IP range
> >>>>>>>>>> 10.2.0.0/24) in you case
> >>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> --
> >>>>>>>>>>> --
> >>>>>>>>>>> Kind regards.
> >>>>>>>>>>> Lu
> >>>>>>>>>>>
> >>>>>>>>>>> This transmission is intended solely for the addressee(s)
> >> shown
> >>>>>> above.
> >>>>>>>>>>> It may contain information that is privileged,
> >> confidential or
> >>>>>>>>>> otherwise
> >>>>>>>>>>> protected from disclosure. Any review, dissemination or
> >> use of
> >>>>>>>>>>> this transmission or its contents by persons other than
> >> the
> >>>>>>>>>>> intended
> >>>>>>>>>> addressee(s)
> >>>>>>>>>>> is strictly prohibited. If you have received this
> >> transmission
> >>>>>>>>>>> in
> >>>>>>>>>> error,
> >>>>>>>>>> please
> >>>>>>>>>>> notify this office immediately and e-mail the original at
> >> the
> >>>>>> sender's
> >>>>>>>>>> address
> >>>>>>>>>>> above by replying to this message and including the text
> >> of the
> >>>>>>>>>> transmission
> >>>>>>>>>>> received.
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> --
> >>>>>>>>> --
> >>>>>>>>> Kind regards.
> >>>>>>>>> Lu
> >>>>>>>>>
> >>>>>>>>> This transmission is intended solely for the addressee(s)
> >> shown
> >>>> above.
> >>>>>>>>> It may contain information that is privileged, confidential
> >> or
> >>>>>>>>> otherwise protected from disclosure. Any review,
> >> dissemination or
> >>>>>>>>> use of this transmission or its contents by persons other
> >> than the
> >>>>>>>>> intended addressee(s) is strictly prohibited. If you have
> >> received
> >>>>>>>>> this transmission in error, please notify this office
> >> immediately
> >>>>>>>>> and e-mail the original at the sender's address above by
> >> replying
> >>>>>>>>> to this message and including the text of the transmission
> >>>> received.
> >>>>>>>>
> >>>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> --
> >>>>> Kind regards.
> >>>>> Lu
> >>>>>
> >>>>> This transmission is intended solely for the addressee(s) shown
> >> above.
> >>>>> It may contain information that is privileged, confidential or
> >> otherwise
> >>>>> protected from disclosure. Any review, dissemination or use of
> >> this
> >>>>> transmission or its contents by persons other than the intended
> >>>> addressee(s)
> >>>>> is strictly prohibited. If you have received this transmission in
> >>>> error, please
> >>>>> notify this office immediately and e-mail the original at the
> >> sender's
> >>>> address
> >>>>> above by replying to this message and including the text of the
> >>>> transmission
> >>>>> received.
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> --
> >>>> Kind regards.
> >>>> Lu
> >>>>
> >>>> This transmission is intended solely for the addressee(s) shown
> >> above.
> >>>> It may contain information that is privileged, confidential or
> >>>> otherwise protected from disclosure. Any review, dissemination or
> >> use
> >>>> of this transmission or its contents by persons other than the
> >>>> intended addressee(s) is strictly prohibited. If you have received
> >>>> this transmission in error, please notify this office immediately
> >> and
> >>>> e-mail the original at the sender's address above by replying to
> >> this
> >>>> message and including the text of the transmission received.
> >>>>
> >>>
> >>>
> >>>
> >>> --
> >>> --
> >>> Kind regards.
> >>> Lu
> >>>
> >>> This transmission is intended solely for the addressee(s) shown above.
> >>> It may contain information that is privileged, confidential or
> >>> otherwise protected from disclosure. Any review, dissemination or
> >>> use of this transmission or its contents by persons other than the
> >>> intended addressee(s) is strictly prohibited. If you have received
> >>> this transmission in error, please notify this office immediately
> >>> and e-mail the original at the sender's address above by replying to
> >>> this message and including the text of the transmission received.
> >>>
> >>
> >>
> >>
> >> --
> >> --
> >> Kind regards.
> >> Lu
> >>
> >> This transmission is intended solely for the addressee(s) shown above.
> >> It may contain information that is privileged, confidential or
> >> otherwise protected from disclosure. Any review, dissemination or use
> >> of this transmission or its contents by persons other than the
> >> intended addressee(s) is strictly prohibited. If you have received
> >> this transmission in error, please notify this office immediately and
> >> e-mail the original at the sender's address above by replying to this
> >> message and including the text of the transmission received.

Re: Config public network without VLAN(error:no route to the host)

[Lu Heng <h....@anytimechinese.com>]

Hi

Thanks for reply.

I have eth2 with public network offering.

The systemvm can visit public network without problem.

But the problem is, how can I offer the same public network to the
guest VMs, because everytime I created a guest VM, it automatically
get an IP from guest network, in which it was a private ip address.
How can I allow guest VM to get public IP address from eth2 directly?
just like the systemVM does.

p.s. still, what the vlan number meaning here? we don't have any vlan
setup, and the public ip is direct route to the access point.

On Wed, Jun 13, 2012 at 3:45 AM, Kelven Yang <ke...@citrix.com> wrote:
> If you specify 0.0.0.0 is specified in "allowed internal sites" configuration, system will change the default gateway to eth1 as it seems that 0.0.0.0 is used to as a catch-all clause.
>
> Explicitly specify a meaningful IP address of the "allowed internal sites" instead of 0.0.0.0
>
> Kelven
>
>> -----Original Message-----
>> From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
>> Sent: Tuesday, June 12, 2012 6:37 PM
>> To: cloudstack-dev@incubator.apache.org
>> Cc: cloudstack-dev@incubator.apache.org; Frank Zhang
>> Subject: Re: Config public network without VLAN(error:no route to the
>> host)
>>
>> This is effect of the allowed internal sites configuration.  It is
>> expected that the management (eth1) ip is RFC 1918 (it is a waste of a
>> perfectly usable ipv4). Since end users can inject any URL for template
>> download they can probe the management network. This is why there is a
>> firewall rule that prevents http(s) downloads over eth1. If you know what
>> you are doing the config flag lets you override this behavior. You can
>> put 0.0.0.0/32 there for example.
>>
>> All system vms have their publicly routable ip address on eth2 and the
>> default route is via eth2. Not sure how eth1 landed up as the default nic
>> in your case.
>>
>> --
>> Chiradeep
>>
>> On Jun 12, 2012, at 18:13, "Anthony Xu" <Xu...@citrix.com> wrote:
>>
>> >> 111.111.111.0/24 dev eth2  proto kernel  scope link  src
>> 111.111.111.18
>> >> default via 46.136.132.1 dev eth2
>> >
>> > Hi Heng,
>> >
>> > The public ip address for SSVM is 111.111.111.18, the default gateway
>> is 46.136.132.1,
>> > Is 111.111.111.18 and 46.136.132.1 in the same broadcast domain?
>> >
>> > If not, it won't work, because 111.111.111.18 cannot get mac of
>> 46.136.132.1, then it cannot reach 46.136.132.1, package cannot go out.
>> > Normally , in this case, the gateway presumably like 111.111.111.1.
>> >
>> >
>> > Regards,
>> > Anthony
>> >
>> >
>> >
>> >> -----Original Message-----
>> >> From: Lu Heng [mailto:h.lu@anytimechinese.com]
>> >> Sent: Tuesday, June 12, 2012 5:35 PM
>> >> To: Frank Zhang
>> >> Cc: cloudstack-dev@incubator.apache.org
>> >> Subject: Re: Config public network without VLAN(error:no route to the
>> >> host)
>> >>
>> >> Hi
>> >>
>> >> I think I know where is the problem ,seems the SSVM can not visit
>> >> outside
>> >> network. it can ping the public IP address within the range, but it
>> can
>> >> not
>> >> access anything outside of the three network range which is listed
>> >> below as
>> >> well as in the first Email.
>> >>
>> >> So the real question is, in this network setup, how can we config
>> >> cloudstack network?
>> >>
>> >> " Hi
>> >>
>> >> We have following setup
>> >>
>> >> management network(public IP range, 123.123.123.0/24)
>> >> storage network(private IP range 10.2.0.0/24)
>> >> public network(public IP range 111.111.111.0/24)
>> >>
>> >> 1 CP
>> >> 1 Nic on management network
>> >> 1 Nic on storage network
>> >>
>> >> 2*Host
>> >> 1 Nic on management network
>> >> 1 Nic on storage network
>> >> 1 Nic on public network
>> >>
>> >> 1 storage
>> >> 1 Nic on management network
>> >> 1 nic on storage network
>> >>
>> >> Management server has an NFS share which mounted on the storage
>> network
>> >> as
>> >> secondary storage.
>> >>
>> >> So two questions:
>> >>
>> >> 1. for the public network, there is no vlan setup, the IP is direct
>> >> routed
>> >> to both host server(they are on access point), the question is, while
>> I
>> >> config the public network and guest network, it always ask for vlan
>> >> number,
>> >> which we don't have.
>> >>
>> >> 2. We saw "no route to the host" error in all the template, ISOs, in
>> >> which
>> >> we can not create any instance on.
>> >>
>> >> Please, if any one have good suggestion in this network setup, how can
>> >> we
>> >> do it."
>> >>
>> >> On Wed, Jun 13, 2012 at 2:31 AM, Lu Heng <h....@anytimechinese.com>
>> >> wrote:
>> >>
>> >>> Hi
>> >>>
>> >>> Thanks for reply. I just added an ISO with following URL
>> >>>
>> >>>
>> >>> http://mirror.stanford.edu/yum/pub/centos/6.2/isos/x86_64/CentOS-6.2-
>> >> x86_64-LiveDVD.iso
>> >>>
>> >>> It still shows no route to host, and for the default template(centos
>> >> 5.6),
>> >>> I saw the download complete when I do the preparation for secondary
>> >> storage.
>> >>>
>> >>>
>> >>> On Wed, Jun 13, 2012 at 2:24 AM, Frank Zhang
>> >> <Fr...@citrix.com>wrote:
>> >>>
>> >>>> Sorry for misleading before. The "no route to host" means CloudStack
>> >> fail
>> >>>> to download template to secondary storage because it cannot access
>> >> the URL
>> >>>> of template.
>> >>>>
>> >>>>
>> >>>>>> It does download successfully during the setup.
>> >>>> So you have seen it's state in Ready sometimes before? And then it
>> >>>> changed to "No route to host"?
>> >>>> Emm this sounds weird to me. once the template is downloaded to
>> >> secondary
>> >>>> storage successfully, its state changes to Ready permanently in
>> >> database.
>> >>>> Is the centos template you mentioned the builtin template
>> >> automatically
>> >>>> downloaded by CloudStack after SSVM is running?
>> >>>> Have you tried wget in SSVM?
>> >>>>
>> >>>>>> And I have pasted the traffic rule on last Email, the both port
>> >> are
>> >>>> open.
>> >>>>
>> >>>> And If I mount the secondary storage to the SSVM, and write on it,
>> >> there
>> >>>> is no error with "no route to host"
>> >>>> On Wed, Jun 13, 2012 at 2:13 AM, Frank Zhang <Fr...@citrix.com>
>> >>>> wrote:
>> >>>>> Hi
>> >>>>>
>> >>>>> please refer to my reply
>> >>>>>
>> >>>>> "The first template(the centos template in which already
>> >> downloaded
>> >>>> during
>> >>>>> preparation) is not even working, it also shows "no route to the
>> >> host""
>> >>>> No that means it didn't download successfully.  Login SSVM, try
>> >>>> downloading the template you want by wget.
>> >>>> You should face the problem of "no route to host", as aforementioned,
>> >>>> there is some firewall rules blocking the traffic.
>> >>>> Given the default centos failed to download, I suspect your 443 port
>> >> or
>> >>>> 80 port to public network is blocked.
>> >>>>
>> >>>>>
>> >>>>> On Wed, Jun 13, 2012 at 1:57 AM, Chiradeep Vittal <
>> >>>>> Chiradeep.Vittal@citrix.com> wrote:
>> >>>>>
>> >>>>>> Because it results in the suppression of the initial ARP request
>> >> to
>> >>>>>> the gateway. This is how the Linux network stack reports an ARP
>> >> issue.
>> >>>>>>
>> >>>>>> --
>> >>>>>> Chiradeep
>> >>>>>>
>> >>>>>> On Jun 12, 2012, at 16:31, "David Nalley" <da...@gnsa.us> wrote:
>> >>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> On Jun 12, 2012, at 7:09 PM, Chiradeep Vittal <
>> >>>>>> Chiradeep.Vittal@citrix.com> wrote:
>> >>>>>>>
>> >>>>>>>> You might need to add the host ip of the web server where the
>> >>>>>>>> templates are hosted to "secstorage.allowed.internal.sites"
>> >> in the
>> >>>>>>>> global configuration.
>> >>>>>>>
>> >>>>>>> Why would lack of this result in no route to host. Firewall
>> >> issues
>> >>>>>>> would
>> >>>>>> die silently without that error. It isn't even trying.
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>>
>> >>>>>>>> On 6/12/12 3:50 PM, "Lu Heng" <h....@anytimechinese.com> wrote:
>> >>>>>>>>
>> >>>>>>>>> Hi
>> >>>>>>>>>
>> >>>>>>>>> Thanks for reply
>> >>>>>>>>>
>> >>>>>>>>> First, the SSVM can mount the secondary storage, and the
>> >>>>>>>>> ssvm-check.sh
>> >>>>>> is
>> >>>>>>>>> passed without error. the "no route to the host" problem
>> >> still
>> >>>> exsits.
>> >>>>>>>>>
>> >>>>>>>>> second, what should we fill in the vlan in the public
>> >> network
>> >>>>>>>>> setup
>> >>>>>> while
>> >>>>>>>>> the IP is simply in the access port?
>> >>>>>>>>>
>> >>>>>>>>> and the iptable rule on the ssvm host:
>> >>>>>>>>> Chain INPUT (policy ACCEPT)
>> >>>>>>>>> target     prot opt source               destination
>> >>>>>>>>> ACCEPT     gre  --  anywhere             anywhere
>> >>>>>>>>> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
>> >>>>>>>>>
>> >>>>>>>>> Chain FORWARD (policy ACCEPT)
>> >>>>>>>>> target     prot opt source               destination
>> >>>>>>>>> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
>> >>>>>>>>>
>> >>>>>>>>> Chain OUTPUT (policy ACCEPT)
>> >>>>>>>>> target     prot opt source               destination
>> >>>>>>>>>
>> >>>>>>>>> Chain RH-Firewall-1-INPUT (2 references)
>> >>>>>>>>> target     prot opt source               destination
>> >>>>>>>>> ACCEPT     tcp  --  anywhere             anywhere
>> >> tcp
>> >>>>>>>>> dpts:5900:6099
>> >>>>>>>>> ACCEPT     all  --  anywhere             anywhere
>> >>>>>>>>> ACCEPT     icmp --  anywhere             anywhere
>> >> icmp
>> >>>> any
>> >>>>>>>>> ACCEPT     esp  --  anywhere             anywhere
>> >>>>>>>>> ACCEPT     ah   --  anywhere             anywhere
>> >>>>>>>>> ACCEPT     udp  --  anywhere             224.0.0.251
>> >> udp
>> >>>>>> dpt:mdns
>> >>>>>>>>> ACCEPT     udp  --  anywhere             anywhere
>> >> udp
>> >>>>>> dpt:ipp
>> >>>>>>>>> ACCEPT     tcp  --  anywhere             anywhere
>> >> tcp
>> >>>>>> dpt:ipp
>> >>>>>>>>> ACCEPT     udp  --  anywhere             anywhere
>> >> udp
>> >>>>>>>>> dpt:bootps
>> >>>>>>>>> ACCEPT     all  --  anywhere             anywhere
>> >> state
>> >>>>>>>>> RELATED,ESTABLISHED
>> >>>>>>>>> ACCEPT     udp  --  anywhere             anywhere
>> >>>> state NEW
>> >>>>>> udp
>> >>>>>>>>> dpt:ha-cluster
>> >>>>>>>>> ACCEPT     tcp  --  anywhere             anywhere
>> >>>> state NEW
>> >>>>>> tcp
>> >>>>>>>>> dpt:ssh
>> >>>>>>>>> ACCEPT     tcp  --  anywhere             anywhere
>> >>>> state NEW
>> >>>>>> tcp
>> >>>>>>>>> dpt:http
>> >>>>>>>>> ACCEPT     tcp  --  anywhere             anywhere
>> >>>> state NEW
>> >>>>>> tcp
>> >>>>>>>>> dpt:https
>> >>>>>>>>> REJECT     all  --  anywhere             anywhere
>> >>>>>> reject-with
>> >>>>>>>>> icmp-host-prohibited
>> >>>>>>>>>
>> >>>>>>>>> Output of ip route on ssvm:
>> >>>>>>>>>
>> >>>>>>>>> 204.13.152.2 via 46.136.128.1 dev eth1
>> >>>>>>>>> 10.2.0.0/24 dev eth3  proto kernel  scope link  src
>> >> 10.2.0.189
>> >>>>>>>>> 123.123.123.0/24 dev eth1  proto kernel  scope link  src
>> >>>>>>>>> 123.123.123.9
>> >>>>>>>>> 111.111.111.0/24 dev eth2  proto kernel  scope link  src
>> >>>>>> 111.111.111.18
>> >>>>>>>>> 169.254.0.0/16 dev eth0  proto kernel  scope link  src
>> >>>>>>>>> 169.254.2.83 default via 46.136.132.1 dev eth2
>> >>>>>>>>>
>> >>>>>>>>> On Wed, Jun 13, 2012 at 12:42 AM, Frank Zhang
>> >>>>>>>>> <Fr...@citrix.com>wrote:
>> >>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>>> Hi
>> >>>>>>>>>>>
>> >>>>>>>>>>> We have following setup
>> >>>>>>>>>>>
>> >>>>>>>>>>> management network(public IP range, 123.123.123.0/24)
>> >> storage
>> >>>>>>>>>>> network(private IP range 10.2.0.0/24) public
>> >> network(public IP
>> >>>>>>>>>>> range
>> >>>>>>>>>>> 111.111.111.0/24)
>> >>>>>>>>>>>
>> >>>>>>>>>>> 1 CP
>> >>>>>>>>>>> 1 Nic on management network
>> >>>>>>>>>>> 1 Nic on storage network
>> >>>>>>>>>>>
>> >>>>>>>>>>> 2*Host
>> >>>>>>>>>>> 1 Nic on management network
>> >>>>>>>>>>> 1 Nic on storage network
>> >>>>>>>>>>> 1 Nic on public network
>> >>>>>>>>>>>
>> >>>>>>>>>>> 1 storage
>> >>>>>>>>>>> 1 Nic on management network
>> >>>>>>>>>>> 1 nic on storage network
>> >>>>>>>>>>>
>> >>>>>>>>>>> Management server has an NFS share which mounted on the
>> >>>>> storage
>> >>>>>>>>>>> network as secondary storage.
>> >>>>>>>>>>>
>> >>>>>>>>>>> So two questions:
>> >>>>>>>>>>>
>> >>>>>>>>>>> 1. for the public network, there is no vlan setup, the IP
>> >> is
>> >>>>>>>>>>> direct
>> >>>>>>>>>> routed to
>> >>>>>>>>>>> both host server(they are on access point), the question
>> >> is,
>> >>>>>>>>>>> while I
>> >>>>>>>>>> config the
>> >>>>>>>>>>> public network and guest network, it always ask for vlan
>> >> number,
>> >>>>>>>>>> which we
>> >>>>>>>>>>> don't have.
>> >>>>>>>>>>
>> >>>>>>>>>> When you create zone, the vlan of public network is
>> >> optional you
>> >>>>>> should
>> >>>>>>>>>> be
>> >>>>>>>>>> able to
>> >>>>>>>>>> Safely ignore it. What's exact error you suffered?
>> >>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>> 2. We saw "no route to the host" error in all the template,
>> >>>>>>>>>>> ISOs, in
>> >>>>>>>>>> which we
>> >>>>>>>>>>> can not create any instance on.
>> >>>>>>>>>>>
>> >>>>>>>>>>> Please, if any one have good suggestion in this network
>> >> setup,
>> >>>>>>>>>>> how
>> >>>>>>>>>> can we
>> >>>>>>>>>>> do it.
>> >>>>>>>>>>
>> >>>>>>>>>> Do this:
>> >>>>>>>>>> 1. login your SSVM
>> >>>>>>>>>>     1.a go to the host where the SSVM is running
>> >>>>>>>>>>     1.b ssh -i  /root/.ssh/ id_rsa.cloud  -p 30922
>> >>>>>>>>>> link_local_ip_address
>> >>>>>>>>>>            The link local ip address can be grabbed from
>> >> SSVM
>> >>>>>>>>>> page on UI which starts with 169
>> >>>>>>>>>>     1.c try to mount your secondary storage to somewhere
>> >> in your
>> >>>>> SSVM
>> >>>>>>>>>>     1.d if 1.c won't work, check if you can mount
>> >> secondary
>> >>>>>>>>>> storage on the host where SSVM running. If failed, then
>> >> it's your
>> >>>>>>>>>> network issue
>> >>>>>>>>>>     1.e. if it works on your host, try to figure out any
>> >> ip
>> >>>>>>>>>> table rules in host blocking NFS traffic
>> >>>>>>>>>>     1.h check routes of SSVM by 'ip route', the traffic to
>> >>>>>>>>>> secondary storage should go thru storage network which is
>> >>>>>>>>>> (private IP range
>> >>>>>>>>>> 10.2.0.0/24) in you case
>> >>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>> --
>> >>>>>>>>>>> --
>> >>>>>>>>>>> Kind regards.
>> >>>>>>>>>>> Lu
>> >>>>>>>>>>>
>> >>>>>>>>>>> This transmission is intended solely for the addressee(s)
>> >> shown
>> >>>>>> above.
>> >>>>>>>>>>> It may contain information that is privileged,
>> >> confidential or
>> >>>>>>>>>> otherwise
>> >>>>>>>>>>> protected from disclosure. Any review, dissemination or
>> >> use of
>> >>>>>>>>>>> this transmission or its contents by persons other than
>> >> the
>> >>>>>>>>>>> intended
>> >>>>>>>>>> addressee(s)
>> >>>>>>>>>>> is strictly prohibited. If you have received this
>> >> transmission
>> >>>>>>>>>>> in
>> >>>>>>>>>> error,
>> >>>>>>>>>> please
>> >>>>>>>>>>> notify this office immediately and e-mail the original at
>> >> the
>> >>>>>> sender's
>> >>>>>>>>>> address
>> >>>>>>>>>>> above by replying to this message and including the text
>> >> of the
>> >>>>>>>>>> transmission
>> >>>>>>>>>>> received.
>> >>>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>> --
>> >>>>>>>>> --
>> >>>>>>>>> Kind regards.
>> >>>>>>>>> Lu
>> >>>>>>>>>
>> >>>>>>>>> This transmission is intended solely for the addressee(s)
>> >> shown
>> >>>> above.
>> >>>>>>>>> It may contain information that is privileged, confidential
>> >> or
>> >>>>>>>>> otherwise protected from disclosure. Any review,
>> >> dissemination or
>> >>>>>>>>> use of this transmission or its contents by persons other
>> >> than the
>> >>>>>>>>> intended addressee(s) is strictly prohibited. If you have
>> >> received
>> >>>>>>>>> this transmission in error, please notify this office
>> >> immediately
>> >>>>>>>>> and e-mail the original at the sender's address above by
>> >> replying
>> >>>>>>>>> to this message and including the text of the transmission
>> >>>> received.
>> >>>>>>>>
>> >>>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> --
>> >>>>> --
>> >>>>> Kind regards.
>> >>>>> Lu
>> >>>>>
>> >>>>> This transmission is intended solely for the addressee(s) shown
>> >> above.
>> >>>>> It may contain information that is privileged, confidential or
>> >> otherwise
>> >>>>> protected from disclosure. Any review, dissemination or use of
>> >> this
>> >>>>> transmission or its contents by persons other than the intended
>> >>>> addressee(s)
>> >>>>> is strictly prohibited. If you have received this transmission in
>> >>>> error, please
>> >>>>> notify this office immediately and e-mail the original at the
>> >> sender's
>> >>>> address
>> >>>>> above by replying to this message and including the text of the
>> >>>> transmission
>> >>>>> received.
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> --
>> >>>> --
>> >>>> Kind regards.
>> >>>> Lu
>> >>>>
>> >>>> This transmission is intended solely for the addressee(s) shown
>> >> above.
>> >>>> It may contain information that is privileged, confidential or
>> >>>> otherwise protected from disclosure. Any review, dissemination or
>> >> use
>> >>>> of this transmission or its contents by persons other than the
>> >>>> intended addressee(s) is strictly prohibited. If you have received
>> >>>> this transmission in error, please notify this office immediately
>> >> and
>> >>>> e-mail the original at the sender's address above by replying to
>> >> this
>> >>>> message and including the text of the transmission received.
>> >>>>
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> --
>> >>> Kind regards.
>> >>> Lu
>> >>>
>> >>> This transmission is intended solely for the addressee(s) shown above.
>> >>> It may contain information that is privileged, confidential or
>> >>> otherwise protected from disclosure. Any review, dissemination or use
>> >>> of this transmission or its contents by persons other than the
>> >>> intended addressee(s) is strictly prohibited. If you have received
>> >>> this transmission in error, please notify this office immediately and
>> >>> e-mail the original at the sender's address above by replying to this
>> >>> message and including the text of the transmission received.
>> >>>
>> >>
>> >>
>> >>
>> >> --
>> >> --
>> >> Kind regards.
>> >> Lu
>> >>
>> >> This transmission is intended solely for the addressee(s) shown above.
>> >> It may contain information that is privileged, confidential or
>> >> otherwise protected from disclosure. Any review, dissemination or use
>> >> of this transmission or its contents by persons other than the
>> >> intended addressee(s) is strictly prohibited. If you have received
>> >> this transmission in error, please notify this office immediately and
>> >> e-mail the original at the sender's address above by replying to this
>> >> message and including the text of the transmission received.



-- 
--
Kind regards.
Lu

This transmission is intended solely for the addressee(s) shown above.
It may contain information that is privileged, confidential or
otherwise protected from disclosure. Any review, dissemination or use
of this transmission or its contents by persons other than the
intended addressee(s) is strictly prohibited. If you have received
this transmission in error, please notify this office immediately and
e-mail the original at the sender's address above by replying to this
message and including the text of the transmission received.

RE: Config public network without VLAN(error:no route to the host)

[Kelven Yang <ke...@citrix.com>]

If you specify 0.0.0.0 is specified in "allowed internal sites" configuration, system will change the default gateway to eth1 as it seems that 0.0.0.0 is used to as a catch-all clause.

Explicitly specify a meaningful IP address of the "allowed internal sites" instead of 0.0.0.0

Kelven

> -----Original Message-----
> From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> Sent: Tuesday, June 12, 2012 6:37 PM
> To: cloudstack-dev@incubator.apache.org
> Cc: cloudstack-dev@incubator.apache.org; Frank Zhang
> Subject: Re: Config public network without VLAN(error:no route to the
> host)
>
> This is effect of the allowed internal sites configuration.  It is
> expected that the management (eth1) ip is RFC 1918 (it is a waste of a
> perfectly usable ipv4). Since end users can inject any URL for template
> download they can probe the management network. This is why there is a
> firewall rule that prevents http(s) downloads over eth1. If you know what
> you are doing the config flag lets you override this behavior. You can
> put 0.0.0.0/32 there for example.
>
> All system vms have their publicly routable ip address on eth2 and the
> default route is via eth2. Not sure how eth1 landed up as the default nic
> in your case.
>
> --
> Chiradeep
>
> On Jun 12, 2012, at 18:13, "Anthony Xu" <Xu...@citrix.com> wrote:
>
> >> 111.111.111.0/24 dev eth2  proto kernel  scope link  src
> 111.111.111.18
> >> default via 46.136.132.1 dev eth2
> >
> > Hi Heng,
> >
> > The public ip address for SSVM is 111.111.111.18, the default gateway
> is 46.136.132.1,
> > Is 111.111.111.18 and 46.136.132.1 in the same broadcast domain?
> >
> > If not, it won't work, because 111.111.111.18 cannot get mac of
> 46.136.132.1, then it cannot reach 46.136.132.1, package cannot go out.
> > Normally , in this case, the gateway presumably like 111.111.111.1.
> >
> >
> > Regards,
> > Anthony
> >
> >
> >
> >> -----Original Message-----
> >> From: Lu Heng [mailto:h.lu@anytimechinese.com]
> >> Sent: Tuesday, June 12, 2012 5:35 PM
> >> To: Frank Zhang
> >> Cc: cloudstack-dev@incubator.apache.org
> >> Subject: Re: Config public network without VLAN(error:no route to the
> >> host)
> >>
> >> Hi
> >>
> >> I think I know where is the problem ,seems the SSVM can not visit
> >> outside
> >> network. it can ping the public IP address within the range, but it
> can
> >> not
> >> access anything outside of the three network range which is listed
> >> below as
> >> well as in the first Email.
> >>
> >> So the real question is, in this network setup, how can we config
> >> cloudstack network?
> >>
> >> " Hi
> >>
> >> We have following setup
> >>
> >> management network(public IP range, 123.123.123.0/24)
> >> storage network(private IP range 10.2.0.0/24)
> >> public network(public IP range 111.111.111.0/24)
> >>
> >> 1 CP
> >> 1 Nic on management network
> >> 1 Nic on storage network
> >>
> >> 2*Host
> >> 1 Nic on management network
> >> 1 Nic on storage network
> >> 1 Nic on public network
> >>
> >> 1 storage
> >> 1 Nic on management network
> >> 1 nic on storage network
> >>
> >> Management server has an NFS share which mounted on the storage
> network
> >> as
> >> secondary storage.
> >>
> >> So two questions:
> >>
> >> 1. for the public network, there is no vlan setup, the IP is direct
> >> routed
> >> to both host server(they are on access point), the question is, while
> I
> >> config the public network and guest network, it always ask for vlan
> >> number,
> >> which we don't have.
> >>
> >> 2. We saw "no route to the host" error in all the template, ISOs, in
> >> which
> >> we can not create any instance on.
> >>
> >> Please, if any one have good suggestion in this network setup, how can
> >> we
> >> do it."
> >>
> >> On Wed, Jun 13, 2012 at 2:31 AM, Lu Heng <h....@anytimechinese.com>
> >> wrote:
> >>
> >>> Hi
> >>>
> >>> Thanks for reply. I just added an ISO with following URL
> >>>
> >>>
> >>> http://mirror.stanford.edu/yum/pub/centos/6.2/isos/x86_64/CentOS-6.2-
> >> x86_64-LiveDVD.iso
> >>>
> >>> It still shows no route to host, and for the default template(centos
> >> 5.6),
> >>> I saw the download complete when I do the preparation for secondary
> >> storage.
> >>>
> >>>
> >>> On Wed, Jun 13, 2012 at 2:24 AM, Frank Zhang
> >> <Fr...@citrix.com>wrote:
> >>>
> >>>> Sorry for misleading before. The "no route to host" means CloudStack
> >> fail
> >>>> to download template to secondary storage because it cannot access
> >> the URL
> >>>> of template.
> >>>>
> >>>>
> >>>>>> It does download successfully during the setup.
> >>>> So you have seen it's state in Ready sometimes before? And then it
> >>>> changed to "No route to host"?
> >>>> Emm this sounds weird to me. once the template is downloaded to
> >> secondary
> >>>> storage successfully, its state changes to Ready permanently in
> >> database.
> >>>> Is the centos template you mentioned the builtin template
> >> automatically
> >>>> downloaded by CloudStack after SSVM is running?
> >>>> Have you tried wget in SSVM?
> >>>>
> >>>>>> And I have pasted the traffic rule on last Email, the both port
> >> are
> >>>> open.
> >>>>
> >>>> And If I mount the secondary storage to the SSVM, and write on it,
> >> there
> >>>> is no error with "no route to host"
> >>>> On Wed, Jun 13, 2012 at 2:13 AM, Frank Zhang <Fr...@citrix.com>
> >>>> wrote:
> >>>>> Hi
> >>>>>
> >>>>> please refer to my reply
> >>>>>
> >>>>> "The first template(the centos template in which already
> >> downloaded
> >>>> during
> >>>>> preparation) is not even working, it also shows "no route to the
> >> host""
> >>>> No that means it didn't download successfully.  Login SSVM, try
> >>>> downloading the template you want by wget.
> >>>> You should face the problem of "no route to host", as aforementioned,
> >>>> there is some firewall rules blocking the traffic.
> >>>> Given the default centos failed to download, I suspect your 443 port
> >> or
> >>>> 80 port to public network is blocked.
> >>>>
> >>>>>
> >>>>> On Wed, Jun 13, 2012 at 1:57 AM, Chiradeep Vittal <
> >>>>> Chiradeep.Vittal@citrix.com> wrote:
> >>>>>
> >>>>>> Because it results in the suppression of the initial ARP request
> >> to
> >>>>>> the gateway. This is how the Linux network stack reports an ARP
> >> issue.
> >>>>>>
> >>>>>> --
> >>>>>> Chiradeep
> >>>>>>
> >>>>>> On Jun 12, 2012, at 16:31, "David Nalley" <da...@gnsa.us> wrote:
> >>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> On Jun 12, 2012, at 7:09 PM, Chiradeep Vittal <
> >>>>>> Chiradeep.Vittal@citrix.com> wrote:
> >>>>>>>
> >>>>>>>> You might need to add the host ip of the web server where the
> >>>>>>>> templates are hosted to "secstorage.allowed.internal.sites"
> >> in the
> >>>>>>>> global configuration.
> >>>>>>>
> >>>>>>> Why would lack of this result in no route to host. Firewall
> >> issues
> >>>>>>> would
> >>>>>> die silently without that error. It isn't even trying.
> >>>>>>>
> >>>>>>>
> >>>>>>>>
> >>>>>>>> On 6/12/12 3:50 PM, "Lu Heng" <h....@anytimechinese.com> wrote:
> >>>>>>>>
> >>>>>>>>> Hi
> >>>>>>>>>
> >>>>>>>>> Thanks for reply
> >>>>>>>>>
> >>>>>>>>> First, the SSVM can mount the secondary storage, and the
> >>>>>>>>> ssvm-check.sh
> >>>>>> is
> >>>>>>>>> passed without error. the "no route to the host" problem
> >> still
> >>>> exsits.
> >>>>>>>>>
> >>>>>>>>> second, what should we fill in the vlan in the public
> >> network
> >>>>>>>>> setup
> >>>>>> while
> >>>>>>>>> the IP is simply in the access port?
> >>>>>>>>>
> >>>>>>>>> and the iptable rule on the ssvm host:
> >>>>>>>>> Chain INPUT (policy ACCEPT)
> >>>>>>>>> target     prot opt source               destination
> >>>>>>>>> ACCEPT     gre  --  anywhere             anywhere
> >>>>>>>>> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
> >>>>>>>>>
> >>>>>>>>> Chain FORWARD (policy ACCEPT)
> >>>>>>>>> target     prot opt source               destination
> >>>>>>>>> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
> >>>>>>>>>
> >>>>>>>>> Chain OUTPUT (policy ACCEPT)
> >>>>>>>>> target     prot opt source               destination
> >>>>>>>>>
> >>>>>>>>> Chain RH-Firewall-1-INPUT (2 references)
> >>>>>>>>> target     prot opt source               destination
> >>>>>>>>> ACCEPT     tcp  --  anywhere             anywhere
> >> tcp
> >>>>>>>>> dpts:5900:6099
> >>>>>>>>> ACCEPT     all  --  anywhere             anywhere
> >>>>>>>>> ACCEPT     icmp --  anywhere             anywhere
> >> icmp
> >>>> any
> >>>>>>>>> ACCEPT     esp  --  anywhere             anywhere
> >>>>>>>>> ACCEPT     ah   --  anywhere             anywhere
> >>>>>>>>> ACCEPT     udp  --  anywhere             224.0.0.251
> >> udp
> >>>>>> dpt:mdns
> >>>>>>>>> ACCEPT     udp  --  anywhere             anywhere
> >> udp
> >>>>>> dpt:ipp
> >>>>>>>>> ACCEPT     tcp  --  anywhere             anywhere
> >> tcp
> >>>>>> dpt:ipp
> >>>>>>>>> ACCEPT     udp  --  anywhere             anywhere
> >> udp
> >>>>>>>>> dpt:bootps
> >>>>>>>>> ACCEPT     all  --  anywhere             anywhere
> >> state
> >>>>>>>>> RELATED,ESTABLISHED
> >>>>>>>>> ACCEPT     udp  --  anywhere             anywhere
> >>>> state NEW
> >>>>>> udp
> >>>>>>>>> dpt:ha-cluster
> >>>>>>>>> ACCEPT     tcp  --  anywhere             anywhere
> >>>> state NEW
> >>>>>> tcp
> >>>>>>>>> dpt:ssh
> >>>>>>>>> ACCEPT     tcp  --  anywhere             anywhere
> >>>> state NEW
> >>>>>> tcp
> >>>>>>>>> dpt:http
> >>>>>>>>> ACCEPT     tcp  --  anywhere             anywhere
> >>>> state NEW
> >>>>>> tcp
> >>>>>>>>> dpt:https
> >>>>>>>>> REJECT     all  --  anywhere             anywhere
> >>>>>> reject-with
> >>>>>>>>> icmp-host-prohibited
> >>>>>>>>>
> >>>>>>>>> Output of ip route on ssvm:
> >>>>>>>>>
> >>>>>>>>> 204.13.152.2 via 46.136.128.1 dev eth1
> >>>>>>>>> 10.2.0.0/24 dev eth3  proto kernel  scope link  src
> >> 10.2.0.189
> >>>>>>>>> 123.123.123.0/24 dev eth1  proto kernel  scope link  src
> >>>>>>>>> 123.123.123.9
> >>>>>>>>> 111.111.111.0/24 dev eth2  proto kernel  scope link  src
> >>>>>> 111.111.111.18
> >>>>>>>>> 169.254.0.0/16 dev eth0  proto kernel  scope link  src
> >>>>>>>>> 169.254.2.83 default via 46.136.132.1 dev eth2
> >>>>>>>>>
> >>>>>>>>> On Wed, Jun 13, 2012 at 12:42 AM, Frank Zhang
> >>>>>>>>> <Fr...@citrix.com>wrote:
> >>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>> Hi
> >>>>>>>>>>>
> >>>>>>>>>>> We have following setup
> >>>>>>>>>>>
> >>>>>>>>>>> management network(public IP range, 123.123.123.0/24)
> >> storage
> >>>>>>>>>>> network(private IP range 10.2.0.0/24) public
> >> network(public IP
> >>>>>>>>>>> range
> >>>>>>>>>>> 111.111.111.0/24)
> >>>>>>>>>>>
> >>>>>>>>>>> 1 CP
> >>>>>>>>>>> 1 Nic on management network
> >>>>>>>>>>> 1 Nic on storage network
> >>>>>>>>>>>
> >>>>>>>>>>> 2*Host
> >>>>>>>>>>> 1 Nic on management network
> >>>>>>>>>>> 1 Nic on storage network
> >>>>>>>>>>> 1 Nic on public network
> >>>>>>>>>>>
> >>>>>>>>>>> 1 storage
> >>>>>>>>>>> 1 Nic on management network
> >>>>>>>>>>> 1 nic on storage network
> >>>>>>>>>>>
> >>>>>>>>>>> Management server has an NFS share which mounted on the
> >>>>> storage
> >>>>>>>>>>> network as secondary storage.
> >>>>>>>>>>>
> >>>>>>>>>>> So two questions:
> >>>>>>>>>>>
> >>>>>>>>>>> 1. for the public network, there is no vlan setup, the IP
> >> is
> >>>>>>>>>>> direct
> >>>>>>>>>> routed to
> >>>>>>>>>>> both host server(they are on access point), the question
> >> is,
> >>>>>>>>>>> while I
> >>>>>>>>>> config the
> >>>>>>>>>>> public network and guest network, it always ask for vlan
> >> number,
> >>>>>>>>>> which we
> >>>>>>>>>>> don't have.
> >>>>>>>>>>
> >>>>>>>>>> When you create zone, the vlan of public network is
> >> optional you
> >>>>>> should
> >>>>>>>>>> be
> >>>>>>>>>> able to
> >>>>>>>>>> Safely ignore it. What's exact error you suffered?
> >>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> 2. We saw "no route to the host" error in all the template,
> >>>>>>>>>>> ISOs, in
> >>>>>>>>>> which we
> >>>>>>>>>>> can not create any instance on.
> >>>>>>>>>>>
> >>>>>>>>>>> Please, if any one have good suggestion in this network
> >> setup,
> >>>>>>>>>>> how
> >>>>>>>>>> can we
> >>>>>>>>>>> do it.
> >>>>>>>>>>
> >>>>>>>>>> Do this:
> >>>>>>>>>> 1. login your SSVM
> >>>>>>>>>>     1.a go to the host where the SSVM is running
> >>>>>>>>>>     1.b ssh -i  /root/.ssh/ id_rsa.cloud  -p 30922
> >>>>>>>>>> link_local_ip_address
> >>>>>>>>>>            The link local ip address can be grabbed from
> >> SSVM
> >>>>>>>>>> page on UI which starts with 169
> >>>>>>>>>>     1.c try to mount your secondary storage to somewhere
> >> in your
> >>>>> SSVM
> >>>>>>>>>>     1.d if 1.c won't work, check if you can mount
> >> secondary
> >>>>>>>>>> storage on the host where SSVM running. If failed, then
> >> it's your
> >>>>>>>>>> network issue
> >>>>>>>>>>     1.e. if it works on your host, try to figure out any
> >> ip
> >>>>>>>>>> table rules in host blocking NFS traffic
> >>>>>>>>>>     1.h check routes of SSVM by 'ip route', the traffic to
> >>>>>>>>>> secondary storage should go thru storage network which is
> >>>>>>>>>> (private IP range
> >>>>>>>>>> 10.2.0.0/24) in you case
> >>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> --
> >>>>>>>>>>> --
> >>>>>>>>>>> Kind regards.
> >>>>>>>>>>> Lu
> >>>>>>>>>>>
> >>>>>>>>>>> This transmission is intended solely for the addressee(s)
> >> shown
> >>>>>> above.
> >>>>>>>>>>> It may contain information that is privileged,
> >> confidential or
> >>>>>>>>>> otherwise
> >>>>>>>>>>> protected from disclosure. Any review, dissemination or
> >> use of
> >>>>>>>>>>> this transmission or its contents by persons other than
> >> the
> >>>>>>>>>>> intended
> >>>>>>>>>> addressee(s)
> >>>>>>>>>>> is strictly prohibited. If you have received this
> >> transmission
> >>>>>>>>>>> in
> >>>>>>>>>> error,
> >>>>>>>>>> please
> >>>>>>>>>>> notify this office immediately and e-mail the original at
> >> the
> >>>>>> sender's
> >>>>>>>>>> address
> >>>>>>>>>>> above by replying to this message and including the text
> >> of the
> >>>>>>>>>> transmission
> >>>>>>>>>>> received.
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> --
> >>>>>>>>> --
> >>>>>>>>> Kind regards.
> >>>>>>>>> Lu
> >>>>>>>>>
> >>>>>>>>> This transmission is intended solely for the addressee(s)
> >> shown
> >>>> above.
> >>>>>>>>> It may contain information that is privileged, confidential
> >> or
> >>>>>>>>> otherwise protected from disclosure. Any review,
> >> dissemination or
> >>>>>>>>> use of this transmission or its contents by persons other
> >> than the
> >>>>>>>>> intended addressee(s) is strictly prohibited. If you have
> >> received
> >>>>>>>>> this transmission in error, please notify this office
> >> immediately
> >>>>>>>>> and e-mail the original at the sender's address above by
> >> replying
> >>>>>>>>> to this message and including the text of the transmission
> >>>> received.
> >>>>>>>>
> >>>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> --
> >>>>> Kind regards.
> >>>>> Lu
> >>>>>
> >>>>> This transmission is intended solely for the addressee(s) shown
> >> above.
> >>>>> It may contain information that is privileged, confidential or
> >> otherwise
> >>>>> protected from disclosure. Any review, dissemination or use of
> >> this
> >>>>> transmission or its contents by persons other than the intended
> >>>> addressee(s)
> >>>>> is strictly prohibited. If you have received this transmission in
> >>>> error, please
> >>>>> notify this office immediately and e-mail the original at the
> >> sender's
> >>>> address
> >>>>> above by replying to this message and including the text of the
> >>>> transmission
> >>>>> received.
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> --
> >>>> Kind regards.
> >>>> Lu
> >>>>
> >>>> This transmission is intended solely for the addressee(s) shown
> >> above.
> >>>> It may contain information that is privileged, confidential or
> >>>> otherwise protected from disclosure. Any review, dissemination or
> >> use
> >>>> of this transmission or its contents by persons other than the
> >>>> intended addressee(s) is strictly prohibited. If you have received
> >>>> this transmission in error, please notify this office immediately
> >> and
> >>>> e-mail the original at the sender's address above by replying to
> >> this
> >>>> message and including the text of the transmission received.
> >>>>
> >>>
> >>>
> >>>
> >>> --
> >>> --
> >>> Kind regards.
> >>> Lu
> >>>
> >>> This transmission is intended solely for the addressee(s) shown above.
> >>> It may contain information that is privileged, confidential or
> >>> otherwise protected from disclosure. Any review, dissemination or use
> >>> of this transmission or its contents by persons other than the
> >>> intended addressee(s) is strictly prohibited. If you have received
> >>> this transmission in error, please notify this office immediately and
> >>> e-mail the original at the sender's address above by replying to this
> >>> message and including the text of the transmission received.
> >>>
> >>
> >>
> >>
> >> --
> >> --
> >> Kind regards.
> >> Lu
> >>
> >> This transmission is intended solely for the addressee(s) shown above.
> >> It may contain information that is privileged, confidential or
> >> otherwise protected from disclosure. Any review, dissemination or use
> >> of this transmission or its contents by persons other than the
> >> intended addressee(s) is strictly prohibited. If you have received
> >> this transmission in error, please notify this office immediately and
> >> e-mail the original at the sender's address above by replying to this
> >> message and including the text of the transmission received.

Re: Config public network without VLAN(error:no route to the host)

[Chiradeep Vittal <Ch...@citrix.com>]

This is effect of the allowed internal sites configuration.  It is expected that the management (eth1) ip is RFC 1918 (it is a waste of a perfectly usable ipv4). Since end users can inject any URL for template download they can probe the management network. This is why there is a firewall rule that prevents http(s) downloads over eth1. If you know what you are doing the config flag lets you override this behavior. You can put 0.0.0.0/32 there for example.

All system vms have their publicly routable ip address on eth2 and the default route is via eth2. Not sure how eth1 landed up as the default nic in your case.

--
Chiradeep

On Jun 12, 2012, at 18:13, "Anthony Xu" <Xu...@citrix.com> wrote:

>> 111.111.111.0/24 dev eth2  proto kernel  scope link  src 111.111.111.18
>> default via 46.136.132.1 dev eth2
>
> Hi Heng,
>
> The public ip address for SSVM is 111.111.111.18, the default gateway is 46.136.132.1,
> Is 111.111.111.18 and 46.136.132.1 in the same broadcast domain?
>
> If not, it won't work, because 111.111.111.18 cannot get mac of 46.136.132.1, then it cannot reach 46.136.132.1, package cannot go out.
> Normally , in this case, the gateway presumably like 111.111.111.1.
>
>
> Regards,
> Anthony
>
>
>
>> -----Original Message-----
>> From: Lu Heng [mailto:h.lu@anytimechinese.com]
>> Sent: Tuesday, June 12, 2012 5:35 PM
>> To: Frank Zhang
>> Cc: cloudstack-dev@incubator.apache.org
>> Subject: Re: Config public network without VLAN(error:no route to the
>> host)
>>
>> Hi
>>
>> I think I know where is the problem ,seems the SSVM can not visit
>> outside
>> network. it can ping the public IP address within the range, but it can
>> not
>> access anything outside of the three network range which is listed
>> below as
>> well as in the first Email.
>>
>> So the real question is, in this network setup, how can we config
>> cloudstack network?
>>
>> " Hi
>>
>> We have following setup
>>
>> management network(public IP range, 123.123.123.0/24)
>> storage network(private IP range 10.2.0.0/24)
>> public network(public IP range 111.111.111.0/24)
>>
>> 1 CP
>> 1 Nic on management network
>> 1 Nic on storage network
>>
>> 2*Host
>> 1 Nic on management network
>> 1 Nic on storage network
>> 1 Nic on public network
>>
>> 1 storage
>> 1 Nic on management network
>> 1 nic on storage network
>>
>> Management server has an NFS share which mounted on the storage network
>> as
>> secondary storage.
>>
>> So two questions:
>>
>> 1. for the public network, there is no vlan setup, the IP is direct
>> routed
>> to both host server(they are on access point), the question is, while I
>> config the public network and guest network, it always ask for vlan
>> number,
>> which we don't have.
>>
>> 2. We saw "no route to the host" error in all the template, ISOs, in
>> which
>> we can not create any instance on.
>>
>> Please, if any one have good suggestion in this network setup, how can
>> we
>> do it."
>>
>> On Wed, Jun 13, 2012 at 2:31 AM, Lu Heng <h....@anytimechinese.com>
>> wrote:
>>
>>> Hi
>>>
>>> Thanks for reply. I just added an ISO with following URL
>>>
>>>
>>> http://mirror.stanford.edu/yum/pub/centos/6.2/isos/x86_64/CentOS-6.2-
>> x86_64-LiveDVD.iso
>>>
>>> It still shows no route to host, and for the default template(centos
>> 5.6),
>>> I saw the download complete when I do the preparation for secondary
>> storage.
>>>
>>>
>>> On Wed, Jun 13, 2012 at 2:24 AM, Frank Zhang
>> <Fr...@citrix.com>wrote:
>>>
>>>> Sorry for misleading before. The "no route to host" means CloudStack
>> fail
>>>> to download template to secondary storage because it cannot access
>> the URL
>>>> of template.
>>>>
>>>>
>>>>>> It does download successfully during the setup.
>>>> So you have seen it's state in Ready sometimes before? And then it
>>>> changed to "No route to host"?
>>>> Emm this sounds weird to me. once the template is downloaded to
>> secondary
>>>> storage successfully, its state changes to Ready permanently in
>> database.
>>>> Is the centos template you mentioned the builtin template
>> automatically
>>>> downloaded by CloudStack after SSVM is running?
>>>> Have you tried wget in SSVM?
>>>>
>>>>>> And I have pasted the traffic rule on last Email, the both port
>> are
>>>> open.
>>>>
>>>> And If I mount the secondary storage to the SSVM, and write on it,
>> there
>>>> is no error with "no route to host"
>>>> On Wed, Jun 13, 2012 at 2:13 AM, Frank Zhang <Fr...@citrix.com>
>>>> wrote:
>>>>> Hi
>>>>>
>>>>> please refer to my reply
>>>>>
>>>>> "The first template(the centos template in which already
>> downloaded
>>>> during
>>>>> preparation) is not even working, it also shows "no route to the
>> host""
>>>> No that means it didn't download successfully.  Login SSVM, try
>>>> downloading the template you want by wget.
>>>> You should face the problem of "no route to host", as aforementioned,
>>>> there is some firewall rules blocking the traffic.
>>>> Given the default centos failed to download, I suspect your 443 port
>> or
>>>> 80 port to public network is blocked.
>>>>
>>>>>
>>>>> On Wed, Jun 13, 2012 at 1:57 AM, Chiradeep Vittal <
>>>>> Chiradeep.Vittal@citrix.com> wrote:
>>>>>
>>>>>> Because it results in the suppression of the initial ARP request
>> to
>>>>>> the gateway. This is how the Linux network stack reports an ARP
>> issue.
>>>>>>
>>>>>> --
>>>>>> Chiradeep
>>>>>>
>>>>>> On Jun 12, 2012, at 16:31, "David Nalley" <da...@gnsa.us> wrote:
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Jun 12, 2012, at 7:09 PM, Chiradeep Vittal <
>>>>>> Chiradeep.Vittal@citrix.com> wrote:
>>>>>>>
>>>>>>>> You might need to add the host ip of the web server where the
>>>>>>>> templates are hosted to "secstorage.allowed.internal.sites"
>> in the
>>>>>>>> global configuration.
>>>>>>>
>>>>>>> Why would lack of this result in no route to host. Firewall
>> issues
>>>>>>> would
>>>>>> die silently without that error. It isn't even trying.
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> On 6/12/12 3:50 PM, "Lu Heng" <h....@anytimechinese.com> wrote:
>>>>>>>>
>>>>>>>>> Hi
>>>>>>>>>
>>>>>>>>> Thanks for reply
>>>>>>>>>
>>>>>>>>> First, the SSVM can mount the secondary storage, and the
>>>>>>>>> ssvm-check.sh
>>>>>> is
>>>>>>>>> passed without error. the "no route to the host" problem
>> still
>>>> exsits.
>>>>>>>>>
>>>>>>>>> second, what should we fill in the vlan in the public
>> network
>>>>>>>>> setup
>>>>>> while
>>>>>>>>> the IP is simply in the access port?
>>>>>>>>>
>>>>>>>>> and the iptable rule on the ssvm host:
>>>>>>>>> Chain INPUT (policy ACCEPT)
>>>>>>>>> target     prot opt source               destination
>>>>>>>>> ACCEPT     gre  --  anywhere             anywhere
>>>>>>>>> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
>>>>>>>>>
>>>>>>>>> Chain FORWARD (policy ACCEPT)
>>>>>>>>> target     prot opt source               destination
>>>>>>>>> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
>>>>>>>>>
>>>>>>>>> Chain OUTPUT (policy ACCEPT)
>>>>>>>>> target     prot opt source               destination
>>>>>>>>>
>>>>>>>>> Chain RH-Firewall-1-INPUT (2 references)
>>>>>>>>> target     prot opt source               destination
>>>>>>>>> ACCEPT     tcp  --  anywhere             anywhere
>> tcp
>>>>>>>>> dpts:5900:6099
>>>>>>>>> ACCEPT     all  --  anywhere             anywhere
>>>>>>>>> ACCEPT     icmp --  anywhere             anywhere
>> icmp
>>>> any
>>>>>>>>> ACCEPT     esp  --  anywhere             anywhere
>>>>>>>>> ACCEPT     ah   --  anywhere             anywhere
>>>>>>>>> ACCEPT     udp  --  anywhere             224.0.0.251
>> udp
>>>>>> dpt:mdns
>>>>>>>>> ACCEPT     udp  --  anywhere             anywhere
>> udp
>>>>>> dpt:ipp
>>>>>>>>> ACCEPT     tcp  --  anywhere             anywhere
>> tcp
>>>>>> dpt:ipp
>>>>>>>>> ACCEPT     udp  --  anywhere             anywhere
>> udp
>>>>>>>>> dpt:bootps
>>>>>>>>> ACCEPT     all  --  anywhere             anywhere
>> state
>>>>>>>>> RELATED,ESTABLISHED
>>>>>>>>> ACCEPT     udp  --  anywhere             anywhere
>>>> state NEW
>>>>>> udp
>>>>>>>>> dpt:ha-cluster
>>>>>>>>> ACCEPT     tcp  --  anywhere             anywhere
>>>> state NEW
>>>>>> tcp
>>>>>>>>> dpt:ssh
>>>>>>>>> ACCEPT     tcp  --  anywhere             anywhere
>>>> state NEW
>>>>>> tcp
>>>>>>>>> dpt:http
>>>>>>>>> ACCEPT     tcp  --  anywhere             anywhere
>>>> state NEW
>>>>>> tcp
>>>>>>>>> dpt:https
>>>>>>>>> REJECT     all  --  anywhere             anywhere
>>>>>> reject-with
>>>>>>>>> icmp-host-prohibited
>>>>>>>>>
>>>>>>>>> Output of ip route on ssvm:
>>>>>>>>>
>>>>>>>>> 204.13.152.2 via 46.136.128.1 dev eth1
>>>>>>>>> 10.2.0.0/24 dev eth3  proto kernel  scope link  src
>> 10.2.0.189
>>>>>>>>> 123.123.123.0/24 dev eth1  proto kernel  scope link  src
>>>>>>>>> 123.123.123.9
>>>>>>>>> 111.111.111.0/24 dev eth2  proto kernel  scope link  src
>>>>>> 111.111.111.18
>>>>>>>>> 169.254.0.0/16 dev eth0  proto kernel  scope link  src
>>>>>>>>> 169.254.2.83 default via 46.136.132.1 dev eth2
>>>>>>>>>
>>>>>>>>> On Wed, Jun 13, 2012 at 12:42 AM, Frank Zhang
>>>>>>>>> <Fr...@citrix.com>wrote:
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> Hi
>>>>>>>>>>>
>>>>>>>>>>> We have following setup
>>>>>>>>>>>
>>>>>>>>>>> management network(public IP range, 123.123.123.0/24)
>> storage
>>>>>>>>>>> network(private IP range 10.2.0.0/24) public
>> network(public IP
>>>>>>>>>>> range
>>>>>>>>>>> 111.111.111.0/24)
>>>>>>>>>>>
>>>>>>>>>>> 1 CP
>>>>>>>>>>> 1 Nic on management network
>>>>>>>>>>> 1 Nic on storage network
>>>>>>>>>>>
>>>>>>>>>>> 2*Host
>>>>>>>>>>> 1 Nic on management network
>>>>>>>>>>> 1 Nic on storage network
>>>>>>>>>>> 1 Nic on public network
>>>>>>>>>>>
>>>>>>>>>>> 1 storage
>>>>>>>>>>> 1 Nic on management network
>>>>>>>>>>> 1 nic on storage network
>>>>>>>>>>>
>>>>>>>>>>> Management server has an NFS share which mounted on the
>>>>> storage
>>>>>>>>>>> network as secondary storage.
>>>>>>>>>>>
>>>>>>>>>>> So two questions:
>>>>>>>>>>>
>>>>>>>>>>> 1. for the public network, there is no vlan setup, the IP
>> is
>>>>>>>>>>> direct
>>>>>>>>>> routed to
>>>>>>>>>>> both host server(they are on access point), the question
>> is,
>>>>>>>>>>> while I
>>>>>>>>>> config the
>>>>>>>>>>> public network and guest network, it always ask for vlan
>> number,
>>>>>>>>>> which we
>>>>>>>>>>> don't have.
>>>>>>>>>>
>>>>>>>>>> When you create zone, the vlan of public network is
>> optional you
>>>>>> should
>>>>>>>>>> be
>>>>>>>>>> able to
>>>>>>>>>> Safely ignore it. What's exact error you suffered?
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> 2. We saw "no route to the host" error in all the template,
>>>>>>>>>>> ISOs, in
>>>>>>>>>> which we
>>>>>>>>>>> can not create any instance on.
>>>>>>>>>>>
>>>>>>>>>>> Please, if any one have good suggestion in this network
>> setup,
>>>>>>>>>>> how
>>>>>>>>>> can we
>>>>>>>>>>> do it.
>>>>>>>>>>
>>>>>>>>>> Do this:
>>>>>>>>>> 1. login your SSVM
>>>>>>>>>>     1.a go to the host where the SSVM is running
>>>>>>>>>>     1.b ssh -i  /root/.ssh/ id_rsa.cloud  -p 30922
>>>>>>>>>> link_local_ip_address
>>>>>>>>>>            The link local ip address can be grabbed from
>> SSVM
>>>>>>>>>> page on UI which starts with 169
>>>>>>>>>>     1.c try to mount your secondary storage to somewhere
>> in your
>>>>> SSVM
>>>>>>>>>>     1.d if 1.c won't work, check if you can mount
>> secondary
>>>>>>>>>> storage on the host where SSVM running. If failed, then
>> it's your
>>>>>>>>>> network issue
>>>>>>>>>>     1.e. if it works on your host, try to figure out any
>> ip
>>>>>>>>>> table rules in host blocking NFS traffic
>>>>>>>>>>     1.h check routes of SSVM by 'ip route', the traffic to
>>>>>>>>>> secondary storage should go thru storage network which is
>>>>>>>>>> (private IP range
>>>>>>>>>> 10.2.0.0/24) in you case
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> --
>>>>>>>>>>> Kind regards.
>>>>>>>>>>> Lu
>>>>>>>>>>>
>>>>>>>>>>> This transmission is intended solely for the addressee(s)
>> shown
>>>>>> above.
>>>>>>>>>>> It may contain information that is privileged,
>> confidential or
>>>>>>>>>> otherwise
>>>>>>>>>>> protected from disclosure. Any review, dissemination or
>> use of
>>>>>>>>>>> this transmission or its contents by persons other than
>> the
>>>>>>>>>>> intended
>>>>>>>>>> addressee(s)
>>>>>>>>>>> is strictly prohibited. If you have received this
>> transmission
>>>>>>>>>>> in
>>>>>>>>>> error,
>>>>>>>>>> please
>>>>>>>>>>> notify this office immediately and e-mail the original at
>> the
>>>>>> sender's
>>>>>>>>>> address
>>>>>>>>>>> above by replying to this message and including the text
>> of the
>>>>>>>>>> transmission
>>>>>>>>>>> received.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> --
>>>>>>>>> Kind regards.
>>>>>>>>> Lu
>>>>>>>>>
>>>>>>>>> This transmission is intended solely for the addressee(s)
>> shown
>>>> above.
>>>>>>>>> It may contain information that is privileged, confidential
>> or
>>>>>>>>> otherwise protected from disclosure. Any review,
>> dissemination or
>>>>>>>>> use of this transmission or its contents by persons other
>> than the
>>>>>>>>> intended addressee(s) is strictly prohibited. If you have
>> received
>>>>>>>>> this transmission in error, please notify this office
>> immediately
>>>>>>>>> and e-mail the original at the sender's address above by
>> replying
>>>>>>>>> to this message and including the text of the transmission
>>>> received.
>>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> --
>>>>> Kind regards.
>>>>> Lu
>>>>>
>>>>> This transmission is intended solely for the addressee(s) shown
>> above.
>>>>> It may contain information that is privileged, confidential or
>> otherwise
>>>>> protected from disclosure. Any review, dissemination or use of
>> this
>>>>> transmission or its contents by persons other than the intended
>>>> addressee(s)
>>>>> is strictly prohibited. If you have received this transmission in
>>>> error, please
>>>>> notify this office immediately and e-mail the original at the
>> sender's
>>>> address
>>>>> above by replying to this message and including the text of the
>>>> transmission
>>>>> received.
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> --
>>>> Kind regards.
>>>> Lu
>>>>
>>>> This transmission is intended solely for the addressee(s) shown
>> above.
>>>> It may contain information that is privileged, confidential or
>>>> otherwise protected from disclosure. Any review, dissemination or
>> use
>>>> of this transmission or its contents by persons other than the
>>>> intended addressee(s) is strictly prohibited. If you have received
>>>> this transmission in error, please notify this office immediately
>> and
>>>> e-mail the original at the sender's address above by replying to
>> this
>>>> message and including the text of the transmission received.
>>>>
>>>
>>>
>>>
>>> --
>>> --
>>> Kind regards.
>>> Lu
>>>
>>> This transmission is intended solely for the addressee(s) shown above.
>>> It may contain information that is privileged, confidential or
>>> otherwise protected from disclosure. Any review, dissemination or use
>>> of this transmission or its contents by persons other than the
>>> intended addressee(s) is strictly prohibited. If you have received
>>> this transmission in error, please notify this office immediately and
>>> e-mail the original at the sender's address above by replying to this
>>> message and including the text of the transmission received.
>>>
>>
>>
>>
>> --
>> --
>> Kind regards.
>> Lu
>>
>> This transmission is intended solely for the addressee(s) shown above.
>> It may contain information that is privileged, confidential or
>> otherwise protected from disclosure. Any review, dissemination or use
>> of this transmission or its contents by persons other than the
>> intended addressee(s) is strictly prohibited. If you have received
>> this transmission in error, please notify this office immediately and
>> e-mail the original at the sender's address above by replying to this
>> message and including the text of the transmission received.

RE: Config public network without VLAN(error:no route to the host)

[Anthony Xu <Xu...@citrix.com>]

>111.111.111.0/24 dev eth2  proto kernel  scope link  src 111.111.111.18
>default via 46.136.132.1 dev eth2

Hi Heng,

The public ip address for SSVM is 111.111.111.18, the default gateway is 46.136.132.1,
Is 111.111.111.18 and 46.136.132.1 in the same broadcast domain?

If not, it won't work, because 111.111.111.18 cannot get mac of 46.136.132.1, then it cannot reach 46.136.132.1, package cannot go out.
Normally , in this case, the gateway presumably like 111.111.111.1.


Regards,
Anthony



> -----Original Message-----
> From: Lu Heng [mailto:h.lu@anytimechinese.com]
> Sent: Tuesday, June 12, 2012 5:35 PM
> To: Frank Zhang
> Cc: cloudstack-dev@incubator.apache.org
> Subject: Re: Config public network without VLAN(error:no route to the
> host)
>
> Hi
>
> I think I know where is the problem ,seems the SSVM can not visit
> outside
> network. it can ping the public IP address within the range, but it can
> not
> access anything outside of the three network range which is listed
> below as
> well as in the first Email.
>
> So the real question is, in this network setup, how can we config
> cloudstack network?
>
> " Hi
>
> We have following setup
>
> management network(public IP range, 123.123.123.0/24)
> storage network(private IP range 10.2.0.0/24)
> public network(public IP range 111.111.111.0/24)
>
> 1 CP
> 1 Nic on management network
> 1 Nic on storage network
>
> 2*Host
> 1 Nic on management network
> 1 Nic on storage network
> 1 Nic on public network
>
> 1 storage
> 1 Nic on management network
> 1 nic on storage network
>
> Management server has an NFS share which mounted on the storage network
> as
> secondary storage.
>
> So two questions:
>
> 1. for the public network, there is no vlan setup, the IP is direct
> routed
> to both host server(they are on access point), the question is, while I
> config the public network and guest network, it always ask for vlan
> number,
> which we don't have.
>
> 2. We saw "no route to the host" error in all the template, ISOs, in
> which
> we can not create any instance on.
>
> Please, if any one have good suggestion in this network setup, how can
> we
> do it."
>
> On Wed, Jun 13, 2012 at 2:31 AM, Lu Heng <h....@anytimechinese.com>
> wrote:
>
> > Hi
> >
> > Thanks for reply. I just added an ISO with following URL
> >
> >
> > http://mirror.stanford.edu/yum/pub/centos/6.2/isos/x86_64/CentOS-6.2-
> x86_64-LiveDVD.iso
> >
> > It still shows no route to host, and for the default template(centos
> 5.6),
> > I saw the download complete when I do the preparation for secondary
> storage.
> >
> >
> > On Wed, Jun 13, 2012 at 2:24 AM, Frank Zhang
> <Fr...@citrix.com>wrote:
> >
> >> Sorry for misleading before. The "no route to host" means CloudStack
> fail
> >> to download template to secondary storage because it cannot access
> the URL
> >> of template.
> >>
> >>
> >> >>It does download successfully during the setup.
> >> So you have seen it's state in Ready sometimes before? And then it
> >> changed to "No route to host"?
> >> Emm this sounds weird to me. once the template is downloaded to
> secondary
> >> storage successfully, its state changes to Ready permanently in
> database.
> >> Is the centos template you mentioned the builtin template
> automatically
> >> downloaded by CloudStack after SSVM is running?
> >> Have you tried wget in SSVM?
> >>
> >> >>And I have pasted the traffic rule on last Email, the both port
> are
> >> open.
> >>
> >> And If I mount the secondary storage to the SSVM, and write on it,
> there
> >> is no error with "no route to host"
> >> On Wed, Jun 13, 2012 at 2:13 AM, Frank Zhang <Fr...@citrix.com>
> >> wrote:
> >> > Hi
> >> >
> >> > please refer to my reply
> >> >
> >> > "The first template(the centos template in which already
> downloaded
> >> during
> >> > preparation) is not even working, it also shows "no route to the
> host""
> >> No that means it didn't download successfully.  Login SSVM, try
> >> downloading the template you want by wget.
> >> You should face the problem of "no route to host", as aforementioned,
> >> there is some firewall rules blocking the traffic.
> >> Given the default centos failed to download, I suspect your 443 port
> or
> >> 80 port to public network is blocked.
> >>
> >> >
> >> > On Wed, Jun 13, 2012 at 1:57 AM, Chiradeep Vittal <
> >> > Chiradeep.Vittal@citrix.com> wrote:
> >> >
> >> > > Because it results in the suppression of the initial ARP request
> to
> >> > > the gateway. This is how the Linux network stack reports an ARP
> issue.
> >> > >
> >> > > --
> >> > > Chiradeep
> >> > >
> >> > > On Jun 12, 2012, at 16:31, "David Nalley" <da...@gnsa.us> wrote:
> >> > >
> >> > > >
> >> > > >
> >> > > >
> >> > > >
> >> > > > On Jun 12, 2012, at 7:09 PM, Chiradeep Vittal <
> >> > > Chiradeep.Vittal@citrix.com> wrote:
> >> > > >
> >> > > >> You might need to add the host ip of the web server where the
> >> > > >> templates are hosted to "secstorage.allowed.internal.sites"
> in the
> >> > > >> global configuration.
> >> > > >
> >> > > > Why would lack of this result in no route to host. Firewall
> issues
> >> > > > would
> >> > > die silently without that error. It isn't even trying.
> >> > > >
> >> > > >
> >> > > >>
> >> > > >> On 6/12/12 3:50 PM, "Lu Heng" <h....@anytimechinese.com> wrote:
> >> > > >>
> >> > > >>> Hi
> >> > > >>>
> >> > > >>> Thanks for reply
> >> > > >>>
> >> > > >>> First, the SSVM can mount the secondary storage, and the
> >> > > >>> ssvm-check.sh
> >> > > is
> >> > > >>> passed without error. the "no route to the host" problem
> still
> >> exsits.
> >> > > >>>
> >> > > >>> second, what should we fill in the vlan in the public
> network
> >> > > >>> setup
> >> > > while
> >> > > >>> the IP is simply in the access port?
> >> > > >>>
> >> > > >>> and the iptable rule on the ssvm host:
> >> > > >>> Chain INPUT (policy ACCEPT)
> >> > > >>> target     prot opt source               destination
> >> > > >>> ACCEPT     gre  --  anywhere             anywhere
> >> > > >>> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
> >> > > >>>
> >> > > >>> Chain FORWARD (policy ACCEPT)
> >> > > >>> target     prot opt source               destination
> >> > > >>> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
> >> > > >>>
> >> > > >>> Chain OUTPUT (policy ACCEPT)
> >> > > >>> target     prot opt source               destination
> >> > > >>>
> >> > > >>> Chain RH-Firewall-1-INPUT (2 references)
> >> > > >>> target     prot opt source               destination
> >> > > >>> ACCEPT     tcp  --  anywhere             anywhere
> tcp
> >> > > >>> dpts:5900:6099
> >> > > >>> ACCEPT     all  --  anywhere             anywhere
> >> > > >>> ACCEPT     icmp --  anywhere             anywhere
> icmp
> >> any
> >> > > >>> ACCEPT     esp  --  anywhere             anywhere
> >> > > >>> ACCEPT     ah   --  anywhere             anywhere
> >> > > >>> ACCEPT     udp  --  anywhere             224.0.0.251
> udp
> >> > > dpt:mdns
> >> > > >>> ACCEPT     udp  --  anywhere             anywhere
> udp
> >> > > dpt:ipp
> >> > > >>> ACCEPT     tcp  --  anywhere             anywhere
> tcp
> >> > > dpt:ipp
> >> > > >>> ACCEPT     udp  --  anywhere             anywhere
> udp
> >> > > >>> dpt:bootps
> >> > > >>> ACCEPT     all  --  anywhere             anywhere
> state
> >> > > >>> RELATED,ESTABLISHED
> >> > > >>> ACCEPT     udp  --  anywhere             anywhere
> >>  state NEW
> >> > > udp
> >> > > >>> dpt:ha-cluster
> >> > > >>> ACCEPT     tcp  --  anywhere             anywhere
> >>  state NEW
> >> > > tcp
> >> > > >>> dpt:ssh
> >> > > >>> ACCEPT     tcp  --  anywhere             anywhere
> >>  state NEW
> >> > > tcp
> >> > > >>> dpt:http
> >> > > >>> ACCEPT     tcp  --  anywhere             anywhere
> >>  state NEW
> >> > > tcp
> >> > > >>> dpt:https
> >> > > >>> REJECT     all  --  anywhere             anywhere
> >> > >  reject-with
> >> > > >>> icmp-host-prohibited
> >> > > >>>
> >> > > >>> Output of ip route on ssvm:
> >> > > >>>
> >> > > >>> 204.13.152.2 via 46.136.128.1 dev eth1
> >> > > >>> 10.2.0.0/24 dev eth3  proto kernel  scope link  src
> 10.2.0.189
> >> > > >>> 123.123.123.0/24 dev eth1  proto kernel  scope link  src
> >> > > >>> 123.123.123.9
> >> > > >>> 111.111.111.0/24 dev eth2  proto kernel  scope link  src
> >> > > 111.111.111.18
> >> > > >>> 169.254.0.0/16 dev eth0  proto kernel  scope link  src
> >> > > >>> 169.254.2.83 default via 46.136.132.1 dev eth2
> >> > > >>>
> >> > > >>> On Wed, Jun 13, 2012 at 12:42 AM, Frank Zhang
> >> > > >>> <Fr...@citrix.com>wrote:
> >> > > >>>
> >> > > >>>>
> >> > > >>>>
> >> > > >>>>> Hi
> >> > > >>>>>
> >> > > >>>>> We have following setup
> >> > > >>>>>
> >> > > >>>>> management network(public IP range, 123.123.123.0/24)
> storage
> >> > > >>>>> network(private IP range 10.2.0.0/24) public
> network(public IP
> >> > > >>>>> range
> >> > > >>>>> 111.111.111.0/24)
> >> > > >>>>>
> >> > > >>>>> 1 CP
> >> > > >>>>> 1 Nic on management network
> >> > > >>>>> 1 Nic on storage network
> >> > > >>>>>
> >> > > >>>>> 2*Host
> >> > > >>>>> 1 Nic on management network
> >> > > >>>>> 1 Nic on storage network
> >> > > >>>>> 1 Nic on public network
> >> > > >>>>>
> >> > > >>>>> 1 storage
> >> > > >>>>> 1 Nic on management network
> >> > > >>>>> 1 nic on storage network
> >> > > >>>>>
> >> > > >>>>> Management server has an NFS share which mounted on the
> >> > storage
> >> > > >>>>> network as secondary storage.
> >> > > >>>>>
> >> > > >>>>> So two questions:
> >> > > >>>>>
> >> > > >>>>> 1. for the public network, there is no vlan setup, the IP
> is
> >> > > >>>>> direct
> >> > > >>>> routed to
> >> > > >>>>> both host server(they are on access point), the question
> is,
> >> > > >>>>> while I
> >> > > >>>> config the
> >> > > >>>>> public network and guest network, it always ask for vlan
> number,
> >> > > >>>> which we
> >> > > >>>>> don't have.
> >> > > >>>>
> >> > > >>>> When you create zone, the vlan of public network is
> optional you
> >> > > should
> >> > > >>>> be
> >> > > >>>> able to
> >> > > >>>> Safely ignore it. What's exact error you suffered?
> >> > > >>>>
> >> > > >>>>>
> >> > > >>>>> 2. We saw "no route to the host" error in all the template,
> >> > > >>>>> ISOs, in
> >> > > >>>> which we
> >> > > >>>>> can not create any instance on.
> >> > > >>>>>
> >> > > >>>>> Please, if any one have good suggestion in this network
> setup,
> >> > > >>>>> how
> >> > > >>>> can we
> >> > > >>>>> do it.
> >> > > >>>>
> >> > > >>>> Do this:
> >> > > >>>> 1. login your SSVM
> >> > > >>>>      1.a go to the host where the SSVM is running
> >> > > >>>>      1.b ssh -i  /root/.ssh/ id_rsa.cloud  -p 30922
> >> > > >>>> link_local_ip_address
> >> > > >>>>             The link local ip address can be grabbed from
> SSVM
> >> > > >>>> page on UI which starts with 169
> >> > > >>>>      1.c try to mount your secondary storage to somewhere
> in your
> >> > SSVM
> >> > > >>>>      1.d if 1.c won't work, check if you can mount
> secondary
> >> > > >>>> storage on the host where SSVM running. If failed, then
> it's your
> >> > > >>>> network issue
> >> > > >>>>      1.e. if it works on your host, try to figure out any
> ip
> >> > > >>>> table rules in host blocking NFS traffic
> >> > > >>>>      1.h check routes of SSVM by 'ip route', the traffic to
> >> > > >>>> secondary storage should go thru storage network which is
> >> > > >>>> (private IP range
> >> > > >>>> 10.2.0.0/24) in you case
> >> > > >>>>
> >> > > >>>>>
> >> > > >>>>> --
> >> > > >>>>> --
> >> > > >>>>> Kind regards.
> >> > > >>>>> Lu
> >> > > >>>>>
> >> > > >>>>> This transmission is intended solely for the addressee(s)
> shown
> >> > > above.
> >> > > >>>>> It may contain information that is privileged,
> confidential or
> >> > > >>>> otherwise
> >> > > >>>>> protected from disclosure. Any review, dissemination or
> use of
> >> > > >>>>> this transmission or its contents by persons other than
> the
> >> > > >>>>> intended
> >> > > >>>> addressee(s)
> >> > > >>>>> is strictly prohibited. If you have received this
> transmission
> >> > > >>>>> in
> >> > > >>>> error,
> >> > > >>>> please
> >> > > >>>>> notify this office immediately and e-mail the original at
> the
> >> > > sender's
> >> > > >>>> address
> >> > > >>>>> above by replying to this message and including the text
> of the
> >> > > >>>> transmission
> >> > > >>>>> received.
> >> > > >>>>
> >> > > >>>
> >> > > >>>
> >> > > >>>
> >> > > >>> --
> >> > > >>> --
> >> > > >>> Kind regards.
> >> > > >>> Lu
> >> > > >>>
> >> > > >>> This transmission is intended solely for the addressee(s)
> shown
> >> above.
> >> > > >>> It may contain information that is privileged, confidential
> or
> >> > > >>> otherwise protected from disclosure. Any review,
> dissemination or
> >> > > >>> use of this transmission or its contents by persons other
> than the
> >> > > >>> intended addressee(s) is strictly prohibited. If you have
> received
> >> > > >>> this transmission in error, please notify this office
> immediately
> >> > > >>> and e-mail the original at the sender's address above by
> replying
> >> > > >>> to this message and including the text of the transmission
> >> received.
> >> > > >>
> >> > >
> >> >
> >> >
> >> >
> >> > --
> >> > --
> >> > Kind regards.
> >> > Lu
> >> >
> >> > This transmission is intended solely for the addressee(s) shown
> above.
> >> > It may contain information that is privileged, confidential or
> otherwise
> >> > protected from disclosure. Any review, dissemination or use of
> this
> >> > transmission or its contents by persons other than the intended
> >> addressee(s)
> >> > is strictly prohibited. If you have received this transmission in
> >> error, please
> >> > notify this office immediately and e-mail the original at the
> sender's
> >> address
> >> > above by replying to this message and including the text of the
> >> transmission
> >> > received.
> >>
> >>
> >>
> >>
> >> --
> >> --
> >> Kind regards.
> >> Lu
> >>
> >> This transmission is intended solely for the addressee(s) shown
> above.
> >> It may contain information that is privileged, confidential or
> >> otherwise protected from disclosure. Any review, dissemination or
> use
> >> of this transmission or its contents by persons other than the
> >> intended addressee(s) is strictly prohibited. If you have received
> >> this transmission in error, please notify this office immediately
> and
> >> e-mail the original at the sender's address above by replying to
> this
> >> message and including the text of the transmission received.
> >>
> >
> >
> >
> > --
> > --
> > Kind regards.
> > Lu
> >
> > This transmission is intended solely for the addressee(s) shown above.
> > It may contain information that is privileged, confidential or
> > otherwise protected from disclosure. Any review, dissemination or use
> > of this transmission or its contents by persons other than the
> > intended addressee(s) is strictly prohibited. If you have received
> > this transmission in error, please notify this office immediately and
> > e-mail the original at the sender's address above by replying to this
> > message and including the text of the transmission received.
> >
>
>
>
> --
> --
> Kind regards.
> Lu
>
> This transmission is intended solely for the addressee(s) shown above.
> It may contain information that is privileged, confidential or
> otherwise protected from disclosure. Any review, dissemination or use
> of this transmission or its contents by persons other than the
> intended addressee(s) is strictly prohibited. If you have received
> this transmission in error, please notify this office immediately and
> e-mail the original at the sender's address above by replying to this
> message and including the text of the transmission received.

Re: Config public network without VLAN(error:no route to the host)

[Lu Heng <h....@anytimechinese.com>]

Hi

I think I know where is the problem ,seems the SSVM can not visit outside
network. it can ping the public IP address within the range, but it can not
access anything outside of the three network range which is listed below as
well as in the first Email.

So the real question is, in this network setup, how can we config
cloudstack network?

" Hi

We have following setup

management network(public IP range, 123.123.123.0/24)
storage network(private IP range 10.2.0.0/24)
public network(public IP range 111.111.111.0/24)

1 CP
1 Nic on management network
1 Nic on storage network

2*Host
1 Nic on management network
1 Nic on storage network
1 Nic on public network

1 storage
1 Nic on management network
1 nic on storage network

Management server has an NFS share which mounted on the storage network as
secondary storage.

So two questions:

1. for the public network, there is no vlan setup, the IP is direct routed
to both host server(they are on access point), the question is, while I
config the public network and guest network, it always ask for vlan number,
which we don't have.

2. We saw "no route to the host" error in all the template, ISOs, in which
we can not create any instance on.

Please, if any one have good suggestion in this network setup, how can we
do it."

On Wed, Jun 13, 2012 at 2:31 AM, Lu Heng <h....@anytimechinese.com> wrote:

> Hi
>
> Thanks for reply. I just added an ISO with following URL
>
>
> http://mirror.stanford.edu/yum/pub/centos/6.2/isos/x86_64/CentOS-6.2-x86_64-LiveDVD.iso
>
> It still shows no route to host, and for the default template(centos 5.6),
> I saw the download complete when I do the preparation for secondary storage.
>
>
> On Wed, Jun 13, 2012 at 2:24 AM, Frank Zhang <Fr...@citrix.com>wrote:
>
>> Sorry for misleading before. The "no route to host" means CloudStack fail
>> to download template to secondary storage because it cannot access the URL
>> of template.
>>
>>
>> >>It does download successfully during the setup.
>> So you have seen it's state in Ready sometimes before? And then it
>> changed to "No route to host"?
>> Emm this sounds weird to me. once the template is downloaded to secondary
>> storage successfully, its state changes to Ready permanently in database.
>> Is the centos template you mentioned the builtin template automatically
>> downloaded by CloudStack after SSVM is running?
>> Have you tried wget in SSVM?
>>
>> >>And I have pasted the traffic rule on last Email, the both port are
>> open.
>>
>> And If I mount the secondary storage to the SSVM, and write on it, there
>> is no error with "no route to host"
>> On Wed, Jun 13, 2012 at 2:13 AM, Frank Zhang <Fr...@citrix.com>
>> wrote:
>> > Hi
>> >
>> > please refer to my reply
>> >
>> > "The first template(the centos template in which already downloaded
>> during
>> > preparation) is not even working, it also shows "no route to the host""
>> No that means it didn't download successfully.  Login SSVM, try
>> downloading the template you want by wget.
>> You should face the problem of "no route to host", as aforementioned,
>> there is some firewall rules blocking the traffic.
>> Given the default centos failed to download, I suspect your 443 port or
>> 80 port to public network is blocked.
>>
>> >
>> > On Wed, Jun 13, 2012 at 1:57 AM, Chiradeep Vittal <
>> > Chiradeep.Vittal@citrix.com> wrote:
>> >
>> > > Because it results in the suppression of the initial ARP request to
>> > > the gateway. This is how the Linux network stack reports an ARP issue.
>> > >
>> > > --
>> > > Chiradeep
>> > >
>> > > On Jun 12, 2012, at 16:31, "David Nalley" <da...@gnsa.us> wrote:
>> > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > > On Jun 12, 2012, at 7:09 PM, Chiradeep Vittal <
>> > > Chiradeep.Vittal@citrix.com> wrote:
>> > > >
>> > > >> You might need to add the host ip of the web server where the
>> > > >> templates are hosted to "secstorage.allowed.internal.sites" in the
>> > > >> global configuration.
>> > > >
>> > > > Why would lack of this result in no route to host. Firewall issues
>> > > > would
>> > > die silently without that error. It isn't even trying.
>> > > >
>> > > >
>> > > >>
>> > > >> On 6/12/12 3:50 PM, "Lu Heng" <h....@anytimechinese.com> wrote:
>> > > >>
>> > > >>> Hi
>> > > >>>
>> > > >>> Thanks for reply
>> > > >>>
>> > > >>> First, the SSVM can mount the secondary storage, and the
>> > > >>> ssvm-check.sh
>> > > is
>> > > >>> passed without error. the "no route to the host" problem still
>> exsits.
>> > > >>>
>> > > >>> second, what should we fill in the vlan in the public network
>> > > >>> setup
>> > > while
>> > > >>> the IP is simply in the access port?
>> > > >>>
>> > > >>> and the iptable rule on the ssvm host:
>> > > >>> Chain INPUT (policy ACCEPT)
>> > > >>> target     prot opt source               destination
>> > > >>> ACCEPT     gre  --  anywhere             anywhere
>> > > >>> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
>> > > >>>
>> > > >>> Chain FORWARD (policy ACCEPT)
>> > > >>> target     prot opt source               destination
>> > > >>> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
>> > > >>>
>> > > >>> Chain OUTPUT (policy ACCEPT)
>> > > >>> target     prot opt source               destination
>> > > >>>
>> > > >>> Chain RH-Firewall-1-INPUT (2 references)
>> > > >>> target     prot opt source               destination
>> > > >>> ACCEPT     tcp  --  anywhere             anywhere            tcp
>> > > >>> dpts:5900:6099
>> > > >>> ACCEPT     all  --  anywhere             anywhere
>> > > >>> ACCEPT     icmp --  anywhere             anywhere            icmp
>> any
>> > > >>> ACCEPT     esp  --  anywhere             anywhere
>> > > >>> ACCEPT     ah   --  anywhere             anywhere
>> > > >>> ACCEPT     udp  --  anywhere             224.0.0.251         udp
>> > > dpt:mdns
>> > > >>> ACCEPT     udp  --  anywhere             anywhere            udp
>> > > dpt:ipp
>> > > >>> ACCEPT     tcp  --  anywhere             anywhere            tcp
>> > > dpt:ipp
>> > > >>> ACCEPT     udp  --  anywhere             anywhere            udp
>> > > >>> dpt:bootps
>> > > >>> ACCEPT     all  --  anywhere             anywhere            state
>> > > >>> RELATED,ESTABLISHED
>> > > >>> ACCEPT     udp  --  anywhere             anywhere
>>  state NEW
>> > > udp
>> > > >>> dpt:ha-cluster
>> > > >>> ACCEPT     tcp  --  anywhere             anywhere
>>  state NEW
>> > > tcp
>> > > >>> dpt:ssh
>> > > >>> ACCEPT     tcp  --  anywhere             anywhere
>>  state NEW
>> > > tcp
>> > > >>> dpt:http
>> > > >>> ACCEPT     tcp  --  anywhere             anywhere
>>  state NEW
>> > > tcp
>> > > >>> dpt:https
>> > > >>> REJECT     all  --  anywhere             anywhere
>> > >  reject-with
>> > > >>> icmp-host-prohibited
>> > > >>>
>> > > >>> Output of ip route on ssvm:
>> > > >>>
>> > > >>> 204.13.152.2 via 46.136.128.1 dev eth1
>> > > >>> 10.2.0.0/24 dev eth3  proto kernel  scope link  src 10.2.0.189
>> > > >>> 123.123.123.0/24 dev eth1  proto kernel  scope link  src
>> > > >>> 123.123.123.9
>> > > >>> 111.111.111.0/24 dev eth2  proto kernel  scope link  src
>> > > 111.111.111.18
>> > > >>> 169.254.0.0/16 dev eth0  proto kernel  scope link  src
>> > > >>> 169.254.2.83 default via 46.136.132.1 dev eth2
>> > > >>>
>> > > >>> On Wed, Jun 13, 2012 at 12:42 AM, Frank Zhang
>> > > >>> <Fr...@citrix.com>wrote:
>> > > >>>
>> > > >>>>
>> > > >>>>
>> > > >>>>> Hi
>> > > >>>>>
>> > > >>>>> We have following setup
>> > > >>>>>
>> > > >>>>> management network(public IP range, 123.123.123.0/24) storage
>> > > >>>>> network(private IP range 10.2.0.0/24) public network(public IP
>> > > >>>>> range
>> > > >>>>> 111.111.111.0/24)
>> > > >>>>>
>> > > >>>>> 1 CP
>> > > >>>>> 1 Nic on management network
>> > > >>>>> 1 Nic on storage network
>> > > >>>>>
>> > > >>>>> 2*Host
>> > > >>>>> 1 Nic on management network
>> > > >>>>> 1 Nic on storage network
>> > > >>>>> 1 Nic on public network
>> > > >>>>>
>> > > >>>>> 1 storage
>> > > >>>>> 1 Nic on management network
>> > > >>>>> 1 nic on storage network
>> > > >>>>>
>> > > >>>>> Management server has an NFS share which mounted on the
>> > storage
>> > > >>>>> network as secondary storage.
>> > > >>>>>
>> > > >>>>> So two questions:
>> > > >>>>>
>> > > >>>>> 1. for the public network, there is no vlan setup, the IP is
>> > > >>>>> direct
>> > > >>>> routed to
>> > > >>>>> both host server(they are on access point), the question is,
>> > > >>>>> while I
>> > > >>>> config the
>> > > >>>>> public network and guest network, it always ask for vlan number,
>> > > >>>> which we
>> > > >>>>> don't have.
>> > > >>>>
>> > > >>>> When you create zone, the vlan of public network is optional you
>> > > should
>> > > >>>> be
>> > > >>>> able to
>> > > >>>> Safely ignore it. What's exact error you suffered?
>> > > >>>>
>> > > >>>>>
>> > > >>>>> 2. We saw "no route to the host" error in all the template,
>> > > >>>>> ISOs, in
>> > > >>>> which we
>> > > >>>>> can not create any instance on.
>> > > >>>>>
>> > > >>>>> Please, if any one have good suggestion in this network setup,
>> > > >>>>> how
>> > > >>>> can we
>> > > >>>>> do it.
>> > > >>>>
>> > > >>>> Do this:
>> > > >>>> 1. login your SSVM
>> > > >>>>      1.a go to the host where the SSVM is running
>> > > >>>>      1.b ssh -i  /root/.ssh/ id_rsa.cloud  -p 30922
>> > > >>>> link_local_ip_address
>> > > >>>>             The link local ip address can be grabbed from SSVM
>> > > >>>> page on UI which starts with 169
>> > > >>>>      1.c try to mount your secondary storage to somewhere in your
>> > SSVM
>> > > >>>>      1.d if 1.c won't work, check if you can mount secondary
>> > > >>>> storage on the host where SSVM running. If failed, then it's your
>> > > >>>> network issue
>> > > >>>>      1.e. if it works on your host, try to figure out any ip
>> > > >>>> table rules in host blocking NFS traffic
>> > > >>>>      1.h check routes of SSVM by 'ip route', the traffic to
>> > > >>>> secondary storage should go thru storage network which is
>> > > >>>> (private IP range
>> > > >>>> 10.2.0.0/24) in you case
>> > > >>>>
>> > > >>>>>
>> > > >>>>> --
>> > > >>>>> --
>> > > >>>>> Kind regards.
>> > > >>>>> Lu
>> > > >>>>>
>> > > >>>>> This transmission is intended solely for the addressee(s) shown
>> > > above.
>> > > >>>>> It may contain information that is privileged, confidential or
>> > > >>>> otherwise
>> > > >>>>> protected from disclosure. Any review, dissemination or use of
>> > > >>>>> this transmission or its contents by persons other than the
>> > > >>>>> intended
>> > > >>>> addressee(s)
>> > > >>>>> is strictly prohibited. If you have received this transmission
>> > > >>>>> in
>> > > >>>> error,
>> > > >>>> please
>> > > >>>>> notify this office immediately and e-mail the original at the
>> > > sender's
>> > > >>>> address
>> > > >>>>> above by replying to this message and including the text of the
>> > > >>>> transmission
>> > > >>>>> received.
>> > > >>>>
>> > > >>>
>> > > >>>
>> > > >>>
>> > > >>> --
>> > > >>> --
>> > > >>> Kind regards.
>> > > >>> Lu
>> > > >>>
>> > > >>> This transmission is intended solely for the addressee(s) shown
>> above.
>> > > >>> It may contain information that is privileged, confidential or
>> > > >>> otherwise protected from disclosure. Any review, dissemination or
>> > > >>> use of this transmission or its contents by persons other than the
>> > > >>> intended addressee(s) is strictly prohibited. If you have received
>> > > >>> this transmission in error, please notify this office immediately
>> > > >>> and e-mail the original at the sender's address above by replying
>> > > >>> to this message and including the text of the transmission
>> received.
>> > > >>
>> > >
>> >
>> >
>> >
>> > --
>> > --
>> > Kind regards.
>> > Lu
>> >
>> > This transmission is intended solely for the addressee(s) shown above.
>> > It may contain information that is privileged, confidential or otherwise
>> > protected from disclosure. Any review, dissemination or use of this
>> > transmission or its contents by persons other than the intended
>> addressee(s)
>> > is strictly prohibited. If you have received this transmission in
>> error, please
>> > notify this office immediately and e-mail the original at the sender's
>> address
>> > above by replying to this message and including the text of the
>> transmission
>> > received.
>>
>>
>>
>>
>> --
>> --
>> Kind regards.
>> Lu
>>
>> This transmission is intended solely for the addressee(s) shown above.
>> It may contain information that is privileged, confidential or
>> otherwise protected from disclosure. Any review, dissemination or use
>> of this transmission or its contents by persons other than the
>> intended addressee(s) is strictly prohibited. If you have received
>> this transmission in error, please notify this office immediately and
>> e-mail the original at the sender's address above by replying to this
>> message and including the text of the transmission received.
>>
>
>
>
> --
> --
> Kind regards.
> Lu
>
> This transmission is intended solely for the addressee(s) shown above.
> It may contain information that is privileged, confidential or
> otherwise protected from disclosure. Any review, dissemination or use
> of this transmission or its contents by persons other than the
> intended addressee(s) is strictly prohibited. If you have received
> this transmission in error, please notify this office immediately and
> e-mail the original at the sender's address above by replying to this
> message and including the text of the transmission received.
>



-- 
--
Kind regards.
Lu

This transmission is intended solely for the addressee(s) shown above.
It may contain information that is privileged, confidential or
otherwise protected from disclosure. Any review, dissemination or use
of this transmission or its contents by persons other than the
intended addressee(s) is strictly prohibited. If you have received
this transmission in error, please notify this office immediately and
e-mail the original at the sender's address above by replying to this
message and including the text of the transmission received.

Re: Config public network without VLAN(error:no route to the host)

[Lu Heng <h....@anytimechinese.com>]

Hi

Thanks for reply. I just added an ISO with following URL

http://mirror.stanford.edu/yum/pub/centos/6.2/isos/x86_64/CentOS-6.2-x86_64-LiveDVD.iso

It still shows no route to host, and for the default template(centos 5.6),
I saw the download complete when I do the preparation for secondary storage.

On Wed, Jun 13, 2012 at 2:24 AM, Frank Zhang <Fr...@citrix.com> wrote:

> Sorry for misleading before. The "no route to host" means CloudStack fail
> to download template to secondary storage because it cannot access the URL
> of template.
>
>
> >>It does download successfully during the setup.
> So you have seen it's state in Ready sometimes before? And then it changed
> to "No route to host"?
> Emm this sounds weird to me. once the template is downloaded to secondary
> storage successfully, its state changes to Ready permanently in database.
> Is the centos template you mentioned the builtin template automatically
> downloaded by CloudStack after SSVM is running?
> Have you tried wget in SSVM?
>
> >>And I have pasted the traffic rule on last Email, the both port are open.
>
> And If I mount the secondary storage to the SSVM, and write on it, there
> is no error with "no route to host"
> On Wed, Jun 13, 2012 at 2:13 AM, Frank Zhang <Fr...@citrix.com>
> wrote:
> > Hi
> >
> > please refer to my reply
> >
> > "The first template(the centos template in which already downloaded
> during
> > preparation) is not even working, it also shows "no route to the host""
> No that means it didn't download successfully.  Login SSVM, try
> downloading the template you want by wget.
> You should face the problem of "no route to host", as aforementioned,
> there is some firewall rules blocking the traffic.
> Given the default centos failed to download, I suspect your 443 port or 80
> port to public network is blocked.
>
> >
> > On Wed, Jun 13, 2012 at 1:57 AM, Chiradeep Vittal <
> > Chiradeep.Vittal@citrix.com> wrote:
> >
> > > Because it results in the suppression of the initial ARP request to
> > > the gateway. This is how the Linux network stack reports an ARP issue.
> > >
> > > --
> > > Chiradeep
> > >
> > > On Jun 12, 2012, at 16:31, "David Nalley" <da...@gnsa.us> wrote:
> > >
> > > >
> > > >
> > > >
> > > >
> > > > On Jun 12, 2012, at 7:09 PM, Chiradeep Vittal <
> > > Chiradeep.Vittal@citrix.com> wrote:
> > > >
> > > >> You might need to add the host ip of the web server where the
> > > >> templates are hosted to "secstorage.allowed.internal.sites" in the
> > > >> global configuration.
> > > >
> > > > Why would lack of this result in no route to host. Firewall issues
> > > > would
> > > die silently without that error. It isn't even trying.
> > > >
> > > >
> > > >>
> > > >> On 6/12/12 3:50 PM, "Lu Heng" <h....@anytimechinese.com> wrote:
> > > >>
> > > >>> Hi
> > > >>>
> > > >>> Thanks for reply
> > > >>>
> > > >>> First, the SSVM can mount the secondary storage, and the
> > > >>> ssvm-check.sh
> > > is
> > > >>> passed without error. the "no route to the host" problem still
> exsits.
> > > >>>
> > > >>> second, what should we fill in the vlan in the public network
> > > >>> setup
> > > while
> > > >>> the IP is simply in the access port?
> > > >>>
> > > >>> and the iptable rule on the ssvm host:
> > > >>> Chain INPUT (policy ACCEPT)
> > > >>> target     prot opt source               destination
> > > >>> ACCEPT     gre  --  anywhere             anywhere
> > > >>> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
> > > >>>
> > > >>> Chain FORWARD (policy ACCEPT)
> > > >>> target     prot opt source               destination
> > > >>> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
> > > >>>
> > > >>> Chain OUTPUT (policy ACCEPT)
> > > >>> target     prot opt source               destination
> > > >>>
> > > >>> Chain RH-Firewall-1-INPUT (2 references)
> > > >>> target     prot opt source               destination
> > > >>> ACCEPT     tcp  --  anywhere             anywhere            tcp
> > > >>> dpts:5900:6099
> > > >>> ACCEPT     all  --  anywhere             anywhere
> > > >>> ACCEPT     icmp --  anywhere             anywhere            icmp
> any
> > > >>> ACCEPT     esp  --  anywhere             anywhere
> > > >>> ACCEPT     ah   --  anywhere             anywhere
> > > >>> ACCEPT     udp  --  anywhere             224.0.0.251         udp
> > > dpt:mdns
> > > >>> ACCEPT     udp  --  anywhere             anywhere            udp
> > > dpt:ipp
> > > >>> ACCEPT     tcp  --  anywhere             anywhere            tcp
> > > dpt:ipp
> > > >>> ACCEPT     udp  --  anywhere             anywhere            udp
> > > >>> dpt:bootps
> > > >>> ACCEPT     all  --  anywhere             anywhere            state
> > > >>> RELATED,ESTABLISHED
> > > >>> ACCEPT     udp  --  anywhere             anywhere            state
> NEW
> > > udp
> > > >>> dpt:ha-cluster
> > > >>> ACCEPT     tcp  --  anywhere             anywhere            state
> NEW
> > > tcp
> > > >>> dpt:ssh
> > > >>> ACCEPT     tcp  --  anywhere             anywhere            state
> NEW
> > > tcp
> > > >>> dpt:http
> > > >>> ACCEPT     tcp  --  anywhere             anywhere            state
> NEW
> > > tcp
> > > >>> dpt:https
> > > >>> REJECT     all  --  anywhere             anywhere
> > >  reject-with
> > > >>> icmp-host-prohibited
> > > >>>
> > > >>> Output of ip route on ssvm:
> > > >>>
> > > >>> 204.13.152.2 via 46.136.128.1 dev eth1
> > > >>> 10.2.0.0/24 dev eth3  proto kernel  scope link  src 10.2.0.189
> > > >>> 123.123.123.0/24 dev eth1  proto kernel  scope link  src
> > > >>> 123.123.123.9
> > > >>> 111.111.111.0/24 dev eth2  proto kernel  scope link  src
> > > 111.111.111.18
> > > >>> 169.254.0.0/16 dev eth0  proto kernel  scope link  src
> > > >>> 169.254.2.83 default via 46.136.132.1 dev eth2
> > > >>>
> > > >>> On Wed, Jun 13, 2012 at 12:42 AM, Frank Zhang
> > > >>> <Fr...@citrix.com>wrote:
> > > >>>
> > > >>>>
> > > >>>>
> > > >>>>> Hi
> > > >>>>>
> > > >>>>> We have following setup
> > > >>>>>
> > > >>>>> management network(public IP range, 123.123.123.0/24) storage
> > > >>>>> network(private IP range 10.2.0.0/24) public network(public IP
> > > >>>>> range
> > > >>>>> 111.111.111.0/24)
> > > >>>>>
> > > >>>>> 1 CP
> > > >>>>> 1 Nic on management network
> > > >>>>> 1 Nic on storage network
> > > >>>>>
> > > >>>>> 2*Host
> > > >>>>> 1 Nic on management network
> > > >>>>> 1 Nic on storage network
> > > >>>>> 1 Nic on public network
> > > >>>>>
> > > >>>>> 1 storage
> > > >>>>> 1 Nic on management network
> > > >>>>> 1 nic on storage network
> > > >>>>>
> > > >>>>> Management server has an NFS share which mounted on the
> > storage
> > > >>>>> network as secondary storage.
> > > >>>>>
> > > >>>>> So two questions:
> > > >>>>>
> > > >>>>> 1. for the public network, there is no vlan setup, the IP is
> > > >>>>> direct
> > > >>>> routed to
> > > >>>>> both host server(they are on access point), the question is,
> > > >>>>> while I
> > > >>>> config the
> > > >>>>> public network and guest network, it always ask for vlan number,
> > > >>>> which we
> > > >>>>> don't have.
> > > >>>>
> > > >>>> When you create zone, the vlan of public network is optional you
> > > should
> > > >>>> be
> > > >>>> able to
> > > >>>> Safely ignore it. What's exact error you suffered?
> > > >>>>
> > > >>>>>
> > > >>>>> 2. We saw "no route to the host" error in all the template,
> > > >>>>> ISOs, in
> > > >>>> which we
> > > >>>>> can not create any instance on.
> > > >>>>>
> > > >>>>> Please, if any one have good suggestion in this network setup,
> > > >>>>> how
> > > >>>> can we
> > > >>>>> do it.
> > > >>>>
> > > >>>> Do this:
> > > >>>> 1. login your SSVM
> > > >>>>      1.a go to the host where the SSVM is running
> > > >>>>      1.b ssh -i  /root/.ssh/ id_rsa.cloud  -p 30922
> > > >>>> link_local_ip_address
> > > >>>>             The link local ip address can be grabbed from SSVM
> > > >>>> page on UI which starts with 169
> > > >>>>      1.c try to mount your secondary storage to somewhere in your
> > SSVM
> > > >>>>      1.d if 1.c won't work, check if you can mount secondary
> > > >>>> storage on the host where SSVM running. If failed, then it's your
> > > >>>> network issue
> > > >>>>      1.e. if it works on your host, try to figure out any ip
> > > >>>> table rules in host blocking NFS traffic
> > > >>>>      1.h check routes of SSVM by 'ip route', the traffic to
> > > >>>> secondary storage should go thru storage network which is
> > > >>>> (private IP range
> > > >>>> 10.2.0.0/24) in you case
> > > >>>>
> > > >>>>>
> > > >>>>> --
> > > >>>>> --
> > > >>>>> Kind regards.
> > > >>>>> Lu
> > > >>>>>
> > > >>>>> This transmission is intended solely for the addressee(s) shown
> > > above.
> > > >>>>> It may contain information that is privileged, confidential or
> > > >>>> otherwise
> > > >>>>> protected from disclosure. Any review, dissemination or use of
> > > >>>>> this transmission or its contents by persons other than the
> > > >>>>> intended
> > > >>>> addressee(s)
> > > >>>>> is strictly prohibited. If you have received this transmission
> > > >>>>> in
> > > >>>> error,
> > > >>>> please
> > > >>>>> notify this office immediately and e-mail the original at the
> > > sender's
> > > >>>> address
> > > >>>>> above by replying to this message and including the text of the
> > > >>>> transmission
> > > >>>>> received.
> > > >>>>
> > > >>>
> > > >>>
> > > >>>
> > > >>> --
> > > >>> --
> > > >>> Kind regards.
> > > >>> Lu
> > > >>>
> > > >>> This transmission is intended solely for the addressee(s) shown
> above.
> > > >>> It may contain information that is privileged, confidential or
> > > >>> otherwise protected from disclosure. Any review, dissemination or
> > > >>> use of this transmission or its contents by persons other than the
> > > >>> intended addressee(s) is strictly prohibited. If you have received
> > > >>> this transmission in error, please notify this office immediately
> > > >>> and e-mail the original at the sender's address above by replying
> > > >>> to this message and including the text of the transmission
> received.
> > > >>
> > >
> >
> >
> >
> > --
> > --
> > Kind regards.
> > Lu
> >
> > This transmission is intended solely for the addressee(s) shown above.
> > It may contain information that is privileged, confidential or otherwise
> > protected from disclosure. Any review, dissemination or use of this
> > transmission or its contents by persons other than the intended
> addressee(s)
> > is strictly prohibited. If you have received this transmission in error,
> please
> > notify this office immediately and e-mail the original at the sender's
> address
> > above by replying to this message and including the text of the
> transmission
> > received.
>
>
>
>
> --
> --
> Kind regards.
> Lu
>
> This transmission is intended solely for the addressee(s) shown above.
> It may contain information that is privileged, confidential or
> otherwise protected from disclosure. Any review, dissemination or use
> of this transmission or its contents by persons other than the
> intended addressee(s) is strictly prohibited. If you have received
> this transmission in error, please notify this office immediately and
> e-mail the original at the sender's address above by replying to this
> message and including the text of the transmission received.
>



-- 
--
Kind regards.
Lu

This transmission is intended solely for the addressee(s) shown above.
It may contain information that is privileged, confidential or
otherwise protected from disclosure. Any review, dissemination or use
of this transmission or its contents by persons other than the
intended addressee(s) is strictly prohibited. If you have received
this transmission in error, please notify this office immediately and
e-mail the original at the sender's address above by replying to this
message and including the text of the transmission received.

RE: Config public network without VLAN(error:no route to the host)

[Frank Zhang <Fr...@citrix.com>]

Sorry for misleading before. The "no route to host" means CloudStack fail to download template to secondary storage because it cannot access the URL of template.


>>It does download successfully during the setup.
So you have seen it's state in Ready sometimes before? And then it changed to "No route to host"?
Emm this sounds weird to me. once the template is downloaded to secondary storage successfully, its state changes to Ready permanently in database. 
Is the centos template you mentioned the builtin template automatically downloaded by CloudStack after SSVM is running?
Have you tried wget in SSVM?

>>And I have pasted the traffic rule on last Email, the both port are open.

And If I mount the secondary storage to the SSVM, and write on it, there is no error with "no route to host"
On Wed, Jun 13, 2012 at 2:13 AM, Frank Zhang <Fr...@citrix.com> wrote:
> Hi
>
> please refer to my reply
>
> "The first template(the centos template in which already downloaded during
> preparation) is not even working, it also shows "no route to the host""
No that means it didn't download successfully.  Login SSVM, try downloading the template you want by wget.
You should face the problem of "no route to host", as aforementioned, there is some firewall rules blocking the traffic.
Given the default centos failed to download, I suspect your 443 port or 80 port to public network is blocked.

>
> On Wed, Jun 13, 2012 at 1:57 AM, Chiradeep Vittal <
> Chiradeep.Vittal@citrix.com> wrote:
>
> > Because it results in the suppression of the initial ARP request to
> > the gateway. This is how the Linux network stack reports an ARP issue.
> >
> > --
> > Chiradeep
> >
> > On Jun 12, 2012, at 16:31, "David Nalley" <da...@gnsa.us> wrote:
> >
> > >
> > >
> > >
> > >
> > > On Jun 12, 2012, at 7:09 PM, Chiradeep Vittal <
> > Chiradeep.Vittal@citrix.com> wrote:
> > >
> > >> You might need to add the host ip of the web server where the
> > >> templates are hosted to "secstorage.allowed.internal.sites" in the
> > >> global configuration.
> > >
> > > Why would lack of this result in no route to host. Firewall issues
> > > would
> > die silently without that error. It isn't even trying.
> > >
> > >
> > >>
> > >> On 6/12/12 3:50 PM, "Lu Heng" <h....@anytimechinese.com> wrote:
> > >>
> > >>> Hi
> > >>>
> > >>> Thanks for reply
> > >>>
> > >>> First, the SSVM can mount the secondary storage, and the
> > >>> ssvm-check.sh
> > is
> > >>> passed without error. the "no route to the host" problem still exsits.
> > >>>
> > >>> second, what should we fill in the vlan in the public network
> > >>> setup
> > while
> > >>> the IP is simply in the access port?
> > >>>
> > >>> and the iptable rule on the ssvm host:
> > >>> Chain INPUT (policy ACCEPT)
> > >>> target     prot opt source               destination
> > >>> ACCEPT     gre  --  anywhere             anywhere
> > >>> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
> > >>>
> > >>> Chain FORWARD (policy ACCEPT)
> > >>> target     prot opt source               destination
> > >>> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
> > >>>
> > >>> Chain OUTPUT (policy ACCEPT)
> > >>> target     prot opt source               destination
> > >>>
> > >>> Chain RH-Firewall-1-INPUT (2 references)
> > >>> target     prot opt source               destination
> > >>> ACCEPT     tcp  --  anywhere             anywhere            tcp
> > >>> dpts:5900:6099
> > >>> ACCEPT     all  --  anywhere             anywhere
> > >>> ACCEPT     icmp --  anywhere             anywhere            icmp any
> > >>> ACCEPT     esp  --  anywhere             anywhere
> > >>> ACCEPT     ah   --  anywhere             anywhere
> > >>> ACCEPT     udp  --  anywhere             224.0.0.251         udp
> > dpt:mdns
> > >>> ACCEPT     udp  --  anywhere             anywhere            udp
> > dpt:ipp
> > >>> ACCEPT     tcp  --  anywhere             anywhere            tcp
> > dpt:ipp
> > >>> ACCEPT     udp  --  anywhere             anywhere            udp
> > >>> dpt:bootps
> > >>> ACCEPT     all  --  anywhere             anywhere            state
> > >>> RELATED,ESTABLISHED
> > >>> ACCEPT     udp  --  anywhere             anywhere            state NEW
> > udp
> > >>> dpt:ha-cluster
> > >>> ACCEPT     tcp  --  anywhere             anywhere            state NEW
> > tcp
> > >>> dpt:ssh
> > >>> ACCEPT     tcp  --  anywhere             anywhere            state NEW
> > tcp
> > >>> dpt:http
> > >>> ACCEPT     tcp  --  anywhere             anywhere            state NEW
> > tcp
> > >>> dpt:https
> > >>> REJECT     all  --  anywhere             anywhere
> >  reject-with
> > >>> icmp-host-prohibited
> > >>>
> > >>> Output of ip route on ssvm:
> > >>>
> > >>> 204.13.152.2 via 46.136.128.1 dev eth1
> > >>> 10.2.0.0/24 dev eth3  proto kernel  scope link  src 10.2.0.189
> > >>> 123.123.123.0/24 dev eth1  proto kernel  scope link  src
> > >>> 123.123.123.9
> > >>> 111.111.111.0/24 dev eth2  proto kernel  scope link  src
> > 111.111.111.18
> > >>> 169.254.0.0/16 dev eth0  proto kernel  scope link  src
> > >>> 169.254.2.83 default via 46.136.132.1 dev eth2
> > >>>
> > >>> On Wed, Jun 13, 2012 at 12:42 AM, Frank Zhang
> > >>> <Fr...@citrix.com>wrote:
> > >>>
> > >>>>
> > >>>>
> > >>>>> Hi
> > >>>>>
> > >>>>> We have following setup
> > >>>>>
> > >>>>> management network(public IP range, 123.123.123.0/24) storage
> > >>>>> network(private IP range 10.2.0.0/24) public network(public IP
> > >>>>> range
> > >>>>> 111.111.111.0/24)
> > >>>>>
> > >>>>> 1 CP
> > >>>>> 1 Nic on management network
> > >>>>> 1 Nic on storage network
> > >>>>>
> > >>>>> 2*Host
> > >>>>> 1 Nic on management network
> > >>>>> 1 Nic on storage network
> > >>>>> 1 Nic on public network
> > >>>>>
> > >>>>> 1 storage
> > >>>>> 1 Nic on management network
> > >>>>> 1 nic on storage network
> > >>>>>
> > >>>>> Management server has an NFS share which mounted on the
> storage
> > >>>>> network as secondary storage.
> > >>>>>
> > >>>>> So two questions:
> > >>>>>
> > >>>>> 1. for the public network, there is no vlan setup, the IP is
> > >>>>> direct
> > >>>> routed to
> > >>>>> both host server(they are on access point), the question is,
> > >>>>> while I
> > >>>> config the
> > >>>>> public network and guest network, it always ask for vlan number,
> > >>>> which we
> > >>>>> don't have.
> > >>>>
> > >>>> When you create zone, the vlan of public network is optional you
> > should
> > >>>> be
> > >>>> able to
> > >>>> Safely ignore it. What's exact error you suffered?
> > >>>>
> > >>>>>
> > >>>>> 2. We saw "no route to the host" error in all the template,
> > >>>>> ISOs, in
> > >>>> which we
> > >>>>> can not create any instance on.
> > >>>>>
> > >>>>> Please, if any one have good suggestion in this network setup,
> > >>>>> how
> > >>>> can we
> > >>>>> do it.
> > >>>>
> > >>>> Do this:
> > >>>> 1. login your SSVM
> > >>>>      1.a go to the host where the SSVM is running
> > >>>>      1.b ssh -i  /root/.ssh/ id_rsa.cloud  -p 30922
> > >>>> link_local_ip_address
> > >>>>             The link local ip address can be grabbed from SSVM
> > >>>> page on UI which starts with 169
> > >>>>      1.c try to mount your secondary storage to somewhere in your
> SSVM
> > >>>>      1.d if 1.c won't work, check if you can mount secondary
> > >>>> storage on the host where SSVM running. If failed, then it's your
> > >>>> network issue
> > >>>>      1.e. if it works on your host, try to figure out any ip
> > >>>> table rules in host blocking NFS traffic
> > >>>>      1.h check routes of SSVM by 'ip route', the traffic to
> > >>>> secondary storage should go thru storage network which is
> > >>>> (private IP range
> > >>>> 10.2.0.0/24) in you case
> > >>>>
> > >>>>>
> > >>>>> --
> > >>>>> --
> > >>>>> Kind regards.
> > >>>>> Lu
> > >>>>>
> > >>>>> This transmission is intended solely for the addressee(s) shown
> > above.
> > >>>>> It may contain information that is privileged, confidential or
> > >>>> otherwise
> > >>>>> protected from disclosure. Any review, dissemination or use of
> > >>>>> this transmission or its contents by persons other than the
> > >>>>> intended
> > >>>> addressee(s)
> > >>>>> is strictly prohibited. If you have received this transmission
> > >>>>> in
> > >>>> error,
> > >>>> please
> > >>>>> notify this office immediately and e-mail the original at the
> > sender's
> > >>>> address
> > >>>>> above by replying to this message and including the text of the
> > >>>> transmission
> > >>>>> received.
> > >>>>
> > >>>
> > >>>
> > >>>
> > >>> --
> > >>> --
> > >>> Kind regards.
> > >>> Lu
> > >>>
> > >>> This transmission is intended solely for the addressee(s) shown above.
> > >>> It may contain information that is privileged, confidential or
> > >>> otherwise protected from disclosure. Any review, dissemination or
> > >>> use of this transmission or its contents by persons other than the
> > >>> intended addressee(s) is strictly prohibited. If you have received
> > >>> this transmission in error, please notify this office immediately
> > >>> and e-mail the original at the sender's address above by replying
> > >>> to this message and including the text of the transmission received.
> > >>
> >
>
>
>
> --
> --
> Kind regards.
> Lu
>
> This transmission is intended solely for the addressee(s) shown above.
> It may contain information that is privileged, confidential or otherwise
> protected from disclosure. Any review, dissemination or use of this
> transmission or its contents by persons other than the intended addressee(s)
> is strictly prohibited. If you have received this transmission in error, please
> notify this office immediately and e-mail the original at the sender's address
> above by replying to this message and including the text of the transmission
> received.




-- 
--
Kind regards.
Lu

This transmission is intended solely for the addressee(s) shown above.
It may contain information that is privileged, confidential or
otherwise protected from disclosure. Any review, dissemination or use
of this transmission or its contents by persons other than the
intended addressee(s) is strictly prohibited. If you have received
this transmission in error, please notify this office immediately and
e-mail the original at the sender's address above by replying to this
message and including the text of the transmission received.

Re: Config public network without VLAN(error:no route to the host)

[Lu Heng <h....@anytimechinese.com>]

Hi

It does download successfully during the setup.

And I have pasted the traffic rule on last Email, the both port are open.

And If I mount the secondary storage to the SSVM, and write on it, there is
no error with "no route to host"

On Wed, Jun 13, 2012 at 2:13 AM, Frank Zhang <Fr...@citrix.com> wrote:

> > Hi
> >
> > please refer to my reply
> >
> > "The first template(the centos template in which already downloaded
> during
> > preparation) is not even working, it also shows "no route to the host""
>
> No that means it didn't download successfully.  Login SSVM, try
> downloading the template you want by wget.
> You should face the problem of "no route to host", as aforementioned,
> there is some firewall rules blocking the traffic.
> Given the default centos failed to download, I suspect your 443 port or 80
> port to public network is blocked.
>
> >
> > On Wed, Jun 13, 2012 at 1:57 AM, Chiradeep Vittal <
> > Chiradeep.Vittal@citrix.com> wrote:
> >
> > > Because it results in the suppression of the initial ARP request to
> > > the gateway. This is how the Linux network stack reports an ARP issue.
> > >
> > > --
> > > Chiradeep
> > >
> > > On Jun 12, 2012, at 16:31, "David Nalley" <da...@gnsa.us> wrote:
> > >
> > > >
> > > >
> > > >
> > > >
> > > > On Jun 12, 2012, at 7:09 PM, Chiradeep Vittal <
> > > Chiradeep.Vittal@citrix.com> wrote:
> > > >
> > > >> You might need to add the host ip of the web server where the
> > > >> templates are hosted to "secstorage.allowed.internal.sites" in the
> > > >> global configuration.
> > > >
> > > > Why would lack of this result in no route to host. Firewall issues
> > > > would
> > > die silently without that error. It isn't even trying.
> > > >
> > > >
> > > >>
> > > >> On 6/12/12 3:50 PM, "Lu Heng" <h....@anytimechinese.com> wrote:
> > > >>
> > > >>> Hi
> > > >>>
> > > >>> Thanks for reply
> > > >>>
> > > >>> First, the SSVM can mount the secondary storage, and the
> > > >>> ssvm-check.sh
> > > is
> > > >>> passed without error. the "no route to the host" problem still
> exsits.
> > > >>>
> > > >>> second, what should we fill in the vlan in the public network
> > > >>> setup
> > > while
> > > >>> the IP is simply in the access port?
> > > >>>
> > > >>> and the iptable rule on the ssvm host:
> > > >>> Chain INPUT (policy ACCEPT)
> > > >>> target     prot opt source               destination
> > > >>> ACCEPT     gre  --  anywhere             anywhere
> > > >>> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
> > > >>>
> > > >>> Chain FORWARD (policy ACCEPT)
> > > >>> target     prot opt source               destination
> > > >>> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
> > > >>>
> > > >>> Chain OUTPUT (policy ACCEPT)
> > > >>> target     prot opt source               destination
> > > >>>
> > > >>> Chain RH-Firewall-1-INPUT (2 references)
> > > >>> target     prot opt source               destination
> > > >>> ACCEPT     tcp  --  anywhere             anywhere            tcp
> > > >>> dpts:5900:6099
> > > >>> ACCEPT     all  --  anywhere             anywhere
> > > >>> ACCEPT     icmp --  anywhere             anywhere            icmp
> any
> > > >>> ACCEPT     esp  --  anywhere             anywhere
> > > >>> ACCEPT     ah   --  anywhere             anywhere
> > > >>> ACCEPT     udp  --  anywhere             224.0.0.251         udp
> > > dpt:mdns
> > > >>> ACCEPT     udp  --  anywhere             anywhere            udp
> > > dpt:ipp
> > > >>> ACCEPT     tcp  --  anywhere             anywhere            tcp
> > > dpt:ipp
> > > >>> ACCEPT     udp  --  anywhere             anywhere            udp
> > > >>> dpt:bootps
> > > >>> ACCEPT     all  --  anywhere             anywhere            state
> > > >>> RELATED,ESTABLISHED
> > > >>> ACCEPT     udp  --  anywhere             anywhere            state
> NEW
> > > udp
> > > >>> dpt:ha-cluster
> > > >>> ACCEPT     tcp  --  anywhere             anywhere            state
> NEW
> > > tcp
> > > >>> dpt:ssh
> > > >>> ACCEPT     tcp  --  anywhere             anywhere            state
> NEW
> > > tcp
> > > >>> dpt:http
> > > >>> ACCEPT     tcp  --  anywhere             anywhere            state
> NEW
> > > tcp
> > > >>> dpt:https
> > > >>> REJECT     all  --  anywhere             anywhere
> > >  reject-with
> > > >>> icmp-host-prohibited
> > > >>>
> > > >>> Output of ip route on ssvm:
> > > >>>
> > > >>> 204.13.152.2 via 46.136.128.1 dev eth1
> > > >>> 10.2.0.0/24 dev eth3  proto kernel  scope link  src 10.2.0.189
> > > >>> 123.123.123.0/24 dev eth1  proto kernel  scope link  src
> > > >>> 123.123.123.9
> > > >>> 111.111.111.0/24 dev eth2  proto kernel  scope link  src
> > > 111.111.111.18
> > > >>> 169.254.0.0/16 dev eth0  proto kernel  scope link  src
> > > >>> 169.254.2.83 default via 46.136.132.1 dev eth2
> > > >>>
> > > >>> On Wed, Jun 13, 2012 at 12:42 AM, Frank Zhang
> > > >>> <Fr...@citrix.com>wrote:
> > > >>>
> > > >>>>
> > > >>>>
> > > >>>>> Hi
> > > >>>>>
> > > >>>>> We have following setup
> > > >>>>>
> > > >>>>> management network(public IP range, 123.123.123.0/24) storage
> > > >>>>> network(private IP range 10.2.0.0/24) public network(public IP
> > > >>>>> range
> > > >>>>> 111.111.111.0/24)
> > > >>>>>
> > > >>>>> 1 CP
> > > >>>>> 1 Nic on management network
> > > >>>>> 1 Nic on storage network
> > > >>>>>
> > > >>>>> 2*Host
> > > >>>>> 1 Nic on management network
> > > >>>>> 1 Nic on storage network
> > > >>>>> 1 Nic on public network
> > > >>>>>
> > > >>>>> 1 storage
> > > >>>>> 1 Nic on management network
> > > >>>>> 1 nic on storage network
> > > >>>>>
> > > >>>>> Management server has an NFS share which mounted on the
> > storage
> > > >>>>> network as secondary storage.
> > > >>>>>
> > > >>>>> So two questions:
> > > >>>>>
> > > >>>>> 1. for the public network, there is no vlan setup, the IP is
> > > >>>>> direct
> > > >>>> routed to
> > > >>>>> both host server(they are on access point), the question is,
> > > >>>>> while I
> > > >>>> config the
> > > >>>>> public network and guest network, it always ask for vlan number,
> > > >>>> which we
> > > >>>>> don't have.
> > > >>>>
> > > >>>> When you create zone, the vlan of public network is optional you
> > > should
> > > >>>> be
> > > >>>> able to
> > > >>>> Safely ignore it. What's exact error you suffered?
> > > >>>>
> > > >>>>>
> > > >>>>> 2. We saw "no route to the host" error in all the template,
> > > >>>>> ISOs, in
> > > >>>> which we
> > > >>>>> can not create any instance on.
> > > >>>>>
> > > >>>>> Please, if any one have good suggestion in this network setup,
> > > >>>>> how
> > > >>>> can we
> > > >>>>> do it.
> > > >>>>
> > > >>>> Do this:
> > > >>>> 1. login your SSVM
> > > >>>>      1.a go to the host where the SSVM is running
> > > >>>>      1.b ssh -i  /root/.ssh/ id_rsa.cloud  -p 30922
> > > >>>> link_local_ip_address
> > > >>>>             The link local ip address can be grabbed from SSVM
> > > >>>> page on UI which starts with 169
> > > >>>>      1.c try to mount your secondary storage to somewhere in your
> > SSVM
> > > >>>>      1.d if 1.c won't work, check if you can mount secondary
> > > >>>> storage on the host where SSVM running. If failed, then it's your
> > > >>>> network issue
> > > >>>>      1.e. if it works on your host, try to figure out any ip
> > > >>>> table rules in host blocking NFS traffic
> > > >>>>      1.h check routes of SSVM by 'ip route', the traffic to
> > > >>>> secondary storage should go thru storage network which is
> > > >>>> (private IP range
> > > >>>> 10.2.0.0/24) in you case
> > > >>>>
> > > >>>>>
> > > >>>>> --
> > > >>>>> --
> > > >>>>> Kind regards.
> > > >>>>> Lu
> > > >>>>>
> > > >>>>> This transmission is intended solely for the addressee(s) shown
> > > above.
> > > >>>>> It may contain information that is privileged, confidential or
> > > >>>> otherwise
> > > >>>>> protected from disclosure. Any review, dissemination or use of
> > > >>>>> this transmission or its contents by persons other than the
> > > >>>>> intended
> > > >>>> addressee(s)
> > > >>>>> is strictly prohibited. If you have received this transmission
> > > >>>>> in
> > > >>>> error,
> > > >>>> please
> > > >>>>> notify this office immediately and e-mail the original at the
> > > sender's
> > > >>>> address
> > > >>>>> above by replying to this message and including the text of the
> > > >>>> transmission
> > > >>>>> received.
> > > >>>>
> > > >>>
> > > >>>
> > > >>>
> > > >>> --
> > > >>> --
> > > >>> Kind regards.
> > > >>> Lu
> > > >>>
> > > >>> This transmission is intended solely for the addressee(s) shown
> above.
> > > >>> It may contain information that is privileged, confidential or
> > > >>> otherwise protected from disclosure. Any review, dissemination or
> > > >>> use of this transmission or its contents by persons other than the
> > > >>> intended addressee(s) is strictly prohibited. If you have received
> > > >>> this transmission in error, please notify this office immediately
> > > >>> and e-mail the original at the sender's address above by replying
> > > >>> to this message and including the text of the transmission
> received.
> > > >>
> > >
> >
> >
> >
> > --
> > --
> > Kind regards.
> > Lu
> >
> > This transmission is intended solely for the addressee(s) shown above.
> > It may contain information that is privileged, confidential or otherwise
> > protected from disclosure. Any review, dissemination or use of this
> > transmission or its contents by persons other than the intended
> addressee(s)
> > is strictly prohibited. If you have received this transmission in error,
> please
> > notify this office immediately and e-mail the original at the sender's
> address
> > above by replying to this message and including the text of the
> transmission
> > received.
>



-- 
--
Kind regards.
Lu

This transmission is intended solely for the addressee(s) shown above.
It may contain information that is privileged, confidential or
otherwise protected from disclosure. Any review, dissemination or use
of this transmission or its contents by persons other than the
intended addressee(s) is strictly prohibited. If you have received
this transmission in error, please notify this office immediately and
e-mail the original at the sender's address above by replying to this
message and including the text of the transmission received.

RE: Config public network without VLAN(error:no route to the host)

[Frank Zhang <Fr...@citrix.com>]

> Hi
> 
> please refer to my reply
> 
> "The first template(the centos template in which already downloaded during
> preparation) is not even working, it also shows "no route to the host""

No that means it didn't download successfully.  Login SSVM, try downloading the template you want by wget.
You should face the problem of "no route to host", as aforementioned, there is some firewall rules blocking the traffic.
Given the default centos failed to download, I suspect your 443 port or 80 port to public network is blocked.

> 
> On Wed, Jun 13, 2012 at 1:57 AM, Chiradeep Vittal <
> Chiradeep.Vittal@citrix.com> wrote:
> 
> > Because it results in the suppression of the initial ARP request to
> > the gateway. This is how the Linux network stack reports an ARP issue.
> >
> > --
> > Chiradeep
> >
> > On Jun 12, 2012, at 16:31, "David Nalley" <da...@gnsa.us> wrote:
> >
> > >
> > >
> > >
> > >
> > > On Jun 12, 2012, at 7:09 PM, Chiradeep Vittal <
> > Chiradeep.Vittal@citrix.com> wrote:
> > >
> > >> You might need to add the host ip of the web server where the
> > >> templates are hosted to "secstorage.allowed.internal.sites" in the
> > >> global configuration.
> > >
> > > Why would lack of this result in no route to host. Firewall issues
> > > would
> > die silently without that error. It isn't even trying.
> > >
> > >
> > >>
> > >> On 6/12/12 3:50 PM, "Lu Heng" <h....@anytimechinese.com> wrote:
> > >>
> > >>> Hi
> > >>>
> > >>> Thanks for reply
> > >>>
> > >>> First, the SSVM can mount the secondary storage, and the
> > >>> ssvm-check.sh
> > is
> > >>> passed without error. the "no route to the host" problem still exsits.
> > >>>
> > >>> second, what should we fill in the vlan in the public network
> > >>> setup
> > while
> > >>> the IP is simply in the access port?
> > >>>
> > >>> and the iptable rule on the ssvm host:
> > >>> Chain INPUT (policy ACCEPT)
> > >>> target     prot opt source               destination
> > >>> ACCEPT     gre  --  anywhere             anywhere
> > >>> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
> > >>>
> > >>> Chain FORWARD (policy ACCEPT)
> > >>> target     prot opt source               destination
> > >>> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
> > >>>
> > >>> Chain OUTPUT (policy ACCEPT)
> > >>> target     prot opt source               destination
> > >>>
> > >>> Chain RH-Firewall-1-INPUT (2 references)
> > >>> target     prot opt source               destination
> > >>> ACCEPT     tcp  --  anywhere             anywhere            tcp
> > >>> dpts:5900:6099
> > >>> ACCEPT     all  --  anywhere             anywhere
> > >>> ACCEPT     icmp --  anywhere             anywhere            icmp any
> > >>> ACCEPT     esp  --  anywhere             anywhere
> > >>> ACCEPT     ah   --  anywhere             anywhere
> > >>> ACCEPT     udp  --  anywhere             224.0.0.251         udp
> > dpt:mdns
> > >>> ACCEPT     udp  --  anywhere             anywhere            udp
> > dpt:ipp
> > >>> ACCEPT     tcp  --  anywhere             anywhere            tcp
> > dpt:ipp
> > >>> ACCEPT     udp  --  anywhere             anywhere            udp
> > >>> dpt:bootps
> > >>> ACCEPT     all  --  anywhere             anywhere            state
> > >>> RELATED,ESTABLISHED
> > >>> ACCEPT     udp  --  anywhere             anywhere            state NEW
> > udp
> > >>> dpt:ha-cluster
> > >>> ACCEPT     tcp  --  anywhere             anywhere            state NEW
> > tcp
> > >>> dpt:ssh
> > >>> ACCEPT     tcp  --  anywhere             anywhere            state NEW
> > tcp
> > >>> dpt:http
> > >>> ACCEPT     tcp  --  anywhere             anywhere            state NEW
> > tcp
> > >>> dpt:https
> > >>> REJECT     all  --  anywhere             anywhere
> >  reject-with
> > >>> icmp-host-prohibited
> > >>>
> > >>> Output of ip route on ssvm:
> > >>>
> > >>> 204.13.152.2 via 46.136.128.1 dev eth1
> > >>> 10.2.0.0/24 dev eth3  proto kernel  scope link  src 10.2.0.189
> > >>> 123.123.123.0/24 dev eth1  proto kernel  scope link  src
> > >>> 123.123.123.9
> > >>> 111.111.111.0/24 dev eth2  proto kernel  scope link  src
> > 111.111.111.18
> > >>> 169.254.0.0/16 dev eth0  proto kernel  scope link  src
> > >>> 169.254.2.83 default via 46.136.132.1 dev eth2
> > >>>
> > >>> On Wed, Jun 13, 2012 at 12:42 AM, Frank Zhang
> > >>> <Fr...@citrix.com>wrote:
> > >>>
> > >>>>
> > >>>>
> > >>>>> Hi
> > >>>>>
> > >>>>> We have following setup
> > >>>>>
> > >>>>> management network(public IP range, 123.123.123.0/24) storage
> > >>>>> network(private IP range 10.2.0.0/24) public network(public IP
> > >>>>> range
> > >>>>> 111.111.111.0/24)
> > >>>>>
> > >>>>> 1 CP
> > >>>>> 1 Nic on management network
> > >>>>> 1 Nic on storage network
> > >>>>>
> > >>>>> 2*Host
> > >>>>> 1 Nic on management network
> > >>>>> 1 Nic on storage network
> > >>>>> 1 Nic on public network
> > >>>>>
> > >>>>> 1 storage
> > >>>>> 1 Nic on management network
> > >>>>> 1 nic on storage network
> > >>>>>
> > >>>>> Management server has an NFS share which mounted on the
> storage
> > >>>>> network as secondary storage.
> > >>>>>
> > >>>>> So two questions:
> > >>>>>
> > >>>>> 1. for the public network, there is no vlan setup, the IP is
> > >>>>> direct
> > >>>> routed to
> > >>>>> both host server(they are on access point), the question is,
> > >>>>> while I
> > >>>> config the
> > >>>>> public network and guest network, it always ask for vlan number,
> > >>>> which we
> > >>>>> don't have.
> > >>>>
> > >>>> When you create zone, the vlan of public network is optional you
> > should
> > >>>> be
> > >>>> able to
> > >>>> Safely ignore it. What's exact error you suffered?
> > >>>>
> > >>>>>
> > >>>>> 2. We saw "no route to the host" error in all the template,
> > >>>>> ISOs, in
> > >>>> which we
> > >>>>> can not create any instance on.
> > >>>>>
> > >>>>> Please, if any one have good suggestion in this network setup,
> > >>>>> how
> > >>>> can we
> > >>>>> do it.
> > >>>>
> > >>>> Do this:
> > >>>> 1. login your SSVM
> > >>>>      1.a go to the host where the SSVM is running
> > >>>>      1.b ssh -i  /root/.ssh/ id_rsa.cloud  -p 30922
> > >>>> link_local_ip_address
> > >>>>             The link local ip address can be grabbed from SSVM
> > >>>> page on UI which starts with 169
> > >>>>      1.c try to mount your secondary storage to somewhere in your
> SSVM
> > >>>>      1.d if 1.c won't work, check if you can mount secondary
> > >>>> storage on the host where SSVM running. If failed, then it's your
> > >>>> network issue
> > >>>>      1.e. if it works on your host, try to figure out any ip
> > >>>> table rules in host blocking NFS traffic
> > >>>>      1.h check routes of SSVM by 'ip route', the traffic to
> > >>>> secondary storage should go thru storage network which is
> > >>>> (private IP range
> > >>>> 10.2.0.0/24) in you case
> > >>>>
> > >>>>>
> > >>>>> --
> > >>>>> --
> > >>>>> Kind regards.
> > >>>>> Lu
> > >>>>>
> > >>>>> This transmission is intended solely for the addressee(s) shown
> > above.
> > >>>>> It may contain information that is privileged, confidential or
> > >>>> otherwise
> > >>>>> protected from disclosure. Any review, dissemination or use of
> > >>>>> this transmission or its contents by persons other than the
> > >>>>> intended
> > >>>> addressee(s)
> > >>>>> is strictly prohibited. If you have received this transmission
> > >>>>> in
> > >>>> error,
> > >>>> please
> > >>>>> notify this office immediately and e-mail the original at the
> > sender's
> > >>>> address
> > >>>>> above by replying to this message and including the text of the
> > >>>> transmission
> > >>>>> received.
> > >>>>
> > >>>
> > >>>
> > >>>
> > >>> --
> > >>> --
> > >>> Kind regards.
> > >>> Lu
> > >>>
> > >>> This transmission is intended solely for the addressee(s) shown above.
> > >>> It may contain information that is privileged, confidential or
> > >>> otherwise protected from disclosure. Any review, dissemination or
> > >>> use of this transmission or its contents by persons other than the
> > >>> intended addressee(s) is strictly prohibited. If you have received
> > >>> this transmission in error, please notify this office immediately
> > >>> and e-mail the original at the sender's address above by replying
> > >>> to this message and including the text of the transmission received.
> > >>
> >
> 
> 
> 
> --
> --
> Kind regards.
> Lu
> 
> This transmission is intended solely for the addressee(s) shown above.
> It may contain information that is privileged, confidential or otherwise
> protected from disclosure. Any review, dissemination or use of this
> transmission or its contents by persons other than the intended addressee(s)
> is strictly prohibited. If you have received this transmission in error, please
> notify this office immediately and e-mail the original at the sender's address
> above by replying to this message and including the text of the transmission
> received.

Re: Config public network without VLAN(error:no route to the host)

[Lu Heng <h....@anytimechinese.com>]

Hi

please refer to my reply

"The first template(the centos template in which already downloaded
during preparation) is not even working, it also shows "no route to
the host""

On Wed, Jun 13, 2012 at 1:57 AM, Chiradeep Vittal <
Chiradeep.Vittal@citrix.com> wrote:

> Because it results in the suppression of the initial ARP request to the
> gateway. This is how the Linux network stack reports an ARP issue.
>
> --
> Chiradeep
>
> On Jun 12, 2012, at 16:31, "David Nalley" <da...@gnsa.us> wrote:
>
> >
> >
> >
> >
> > On Jun 12, 2012, at 7:09 PM, Chiradeep Vittal <
> Chiradeep.Vittal@citrix.com> wrote:
> >
> >> You might need to add the host ip of the web server where the templates
> >> are hosted to
> >> "secstorage.allowed.internal.sites" in the global configuration.
> >
> > Why would lack of this result in no route to host. Firewall issues would
> die silently without that error. It isn't even trying.
> >
> >
> >>
> >> On 6/12/12 3:50 PM, "Lu Heng" <h....@anytimechinese.com> wrote:
> >>
> >>> Hi
> >>>
> >>> Thanks for reply
> >>>
> >>> First, the SSVM can mount the secondary storage, and the ssvm-check.sh
> is
> >>> passed without error. the "no route to the host" problem still exsits.
> >>>
> >>> second, what should we fill in the vlan in the public network setup
> while
> >>> the IP is simply in the access port?
> >>>
> >>> and the iptable rule on the ssvm host:
> >>> Chain INPUT (policy ACCEPT)
> >>> target     prot opt source               destination
> >>> ACCEPT     gre  --  anywhere             anywhere
> >>> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
> >>>
> >>> Chain FORWARD (policy ACCEPT)
> >>> target     prot opt source               destination
> >>> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
> >>>
> >>> Chain OUTPUT (policy ACCEPT)
> >>> target     prot opt source               destination
> >>>
> >>> Chain RH-Firewall-1-INPUT (2 references)
> >>> target     prot opt source               destination
> >>> ACCEPT     tcp  --  anywhere             anywhere            tcp
> >>> dpts:5900:6099
> >>> ACCEPT     all  --  anywhere             anywhere
> >>> ACCEPT     icmp --  anywhere             anywhere            icmp any
> >>> ACCEPT     esp  --  anywhere             anywhere
> >>> ACCEPT     ah   --  anywhere             anywhere
> >>> ACCEPT     udp  --  anywhere             224.0.0.251         udp
> dpt:mdns
> >>> ACCEPT     udp  --  anywhere             anywhere            udp
> dpt:ipp
> >>> ACCEPT     tcp  --  anywhere             anywhere            tcp
> dpt:ipp
> >>> ACCEPT     udp  --  anywhere             anywhere            udp
> >>> dpt:bootps
> >>> ACCEPT     all  --  anywhere             anywhere            state
> >>> RELATED,ESTABLISHED
> >>> ACCEPT     udp  --  anywhere             anywhere            state NEW
> udp
> >>> dpt:ha-cluster
> >>> ACCEPT     tcp  --  anywhere             anywhere            state NEW
> tcp
> >>> dpt:ssh
> >>> ACCEPT     tcp  --  anywhere             anywhere            state NEW
> tcp
> >>> dpt:http
> >>> ACCEPT     tcp  --  anywhere             anywhere            state NEW
> tcp
> >>> dpt:https
> >>> REJECT     all  --  anywhere             anywhere
>  reject-with
> >>> icmp-host-prohibited
> >>>
> >>> Output of ip route on ssvm:
> >>>
> >>> 204.13.152.2 via 46.136.128.1 dev eth1
> >>> 10.2.0.0/24 dev eth3  proto kernel  scope link  src 10.2.0.189
> >>> 123.123.123.0/24 dev eth1  proto kernel  scope link  src 123.123.123.9
> >>> 111.111.111.0/24 dev eth2  proto kernel  scope link  src
> 111.111.111.18
> >>> 169.254.0.0/16 dev eth0  proto kernel  scope link  src 169.254.2.83
> >>> default via 46.136.132.1 dev eth2
> >>>
> >>> On Wed, Jun 13, 2012 at 12:42 AM, Frank Zhang
> >>> <Fr...@citrix.com>wrote:
> >>>
> >>>>
> >>>>
> >>>>> Hi
> >>>>>
> >>>>> We have following setup
> >>>>>
> >>>>> management network(public IP range, 123.123.123.0/24) storage
> >>>>> network(private IP range 10.2.0.0/24) public network(public IP range
> >>>>> 111.111.111.0/24)
> >>>>>
> >>>>> 1 CP
> >>>>> 1 Nic on management network
> >>>>> 1 Nic on storage network
> >>>>>
> >>>>> 2*Host
> >>>>> 1 Nic on management network
> >>>>> 1 Nic on storage network
> >>>>> 1 Nic on public network
> >>>>>
> >>>>> 1 storage
> >>>>> 1 Nic on management network
> >>>>> 1 nic on storage network
> >>>>>
> >>>>> Management server has an NFS share which mounted on the storage
> >>>>> network as secondary storage.
> >>>>>
> >>>>> So two questions:
> >>>>>
> >>>>> 1. for the public network, there is no vlan setup, the IP is direct
> >>>> routed to
> >>>>> both host server(they are on access point), the question is, while I
> >>>> config the
> >>>>> public network and guest network, it always ask for vlan number,
> >>>> which we
> >>>>> don't have.
> >>>>
> >>>> When you create zone, the vlan of public network is optional you
> should
> >>>> be
> >>>> able to
> >>>> Safely ignore it. What's exact error you suffered?
> >>>>
> >>>>>
> >>>>> 2. We saw "no route to the host" error in all the template, ISOs, in
> >>>> which we
> >>>>> can not create any instance on.
> >>>>>
> >>>>> Please, if any one have good suggestion in this network setup, how
> >>>> can we
> >>>>> do it.
> >>>>
> >>>> Do this:
> >>>> 1. login your SSVM
> >>>>      1.a go to the host where the SSVM is running
> >>>>      1.b ssh -i  /root/.ssh/ id_rsa.cloud  -p 30922
> >>>> link_local_ip_address
> >>>>             The link local ip address can be grabbed from SSVM page on
> >>>> UI which starts with 169
> >>>>      1.c try to mount your secondary storage to somewhere in your SSVM
> >>>>      1.d if 1.c won't work, check if you can mount secondary storage
> >>>> on
> >>>> the host where SSVM running. If failed, then it's your network issue
> >>>>      1.e. if it works on your host, try to figure out any ip table
> >>>> rules
> >>>> in host blocking NFS traffic
> >>>>      1.h check routes of SSVM by 'ip route', the traffic to secondary
> >>>> storage should go thru storage network which is (private IP range
> >>>> 10.2.0.0/24) in you case
> >>>>
> >>>>>
> >>>>> --
> >>>>> --
> >>>>> Kind regards.
> >>>>> Lu
> >>>>>
> >>>>> This transmission is intended solely for the addressee(s) shown
> above.
> >>>>> It may contain information that is privileged, confidential or
> >>>> otherwise
> >>>>> protected from disclosure. Any review, dissemination or use of this
> >>>>> transmission or its contents by persons other than the intended
> >>>> addressee(s)
> >>>>> is strictly prohibited. If you have received this transmission in
> >>>> error,
> >>>> please
> >>>>> notify this office immediately and e-mail the original at the
> sender's
> >>>> address
> >>>>> above by replying to this message and including the text of the
> >>>> transmission
> >>>>> received.
> >>>>
> >>>
> >>>
> >>>
> >>> --
> >>> --
> >>> Kind regards.
> >>> Lu
> >>>
> >>> This transmission is intended solely for the addressee(s) shown above.
> >>> It may contain information that is privileged, confidential or
> >>> otherwise protected from disclosure. Any review, dissemination or use
> >>> of this transmission or its contents by persons other than the
> >>> intended addressee(s) is strictly prohibited. If you have received
> >>> this transmission in error, please notify this office immediately and
> >>> e-mail the original at the sender's address above by replying to this
> >>> message and including the text of the transmission received.
> >>
>



-- 
--
Kind regards.
Lu

This transmission is intended solely for the addressee(s) shown above.
It may contain information that is privileged, confidential or
otherwise protected from disclosure. Any review, dissemination or use
of this transmission or its contents by persons other than the
intended addressee(s) is strictly prohibited. If you have received
this transmission in error, please notify this office immediately and
e-mail the original at the sender's address above by replying to this
message and including the text of the transmission received.

Re: Config public network without VLAN(error:no route to the host)

[Chiradeep Vittal <Ch...@citrix.com>]

Because it results in the suppression of the initial ARP request to the gateway. This is how the Linux network stack reports an ARP issue. 

--
Chiradeep

On Jun 12, 2012, at 16:31, "David Nalley" <da...@gnsa.us> wrote:

> 
> 
> 
> 
> On Jun 12, 2012, at 7:09 PM, Chiradeep Vittal <Ch...@citrix.com> wrote:
> 
>> You might need to add the host ip of the web server where the templates
>> are hosted to
>> "secstorage.allowed.internal.sites" in the global configuration.
> 
> Why would lack of this result in no route to host. Firewall issues would die silently without that error. It isn't even trying. 
> 
> 
>> 
>> On 6/12/12 3:50 PM, "Lu Heng" <h....@anytimechinese.com> wrote:
>> 
>>> Hi
>>> 
>>> Thanks for reply
>>> 
>>> First, the SSVM can mount the secondary storage, and the ssvm-check.sh is
>>> passed without error. the "no route to the host" problem still exsits.
>>> 
>>> second, what should we fill in the vlan in the public network setup while
>>> the IP is simply in the access port?
>>> 
>>> and the iptable rule on the ssvm host:
>>> Chain INPUT (policy ACCEPT)
>>> target     prot opt source               destination
>>> ACCEPT     gre  --  anywhere             anywhere
>>> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
>>> 
>>> Chain FORWARD (policy ACCEPT)
>>> target     prot opt source               destination
>>> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
>>> 
>>> Chain OUTPUT (policy ACCEPT)
>>> target     prot opt source               destination
>>> 
>>> Chain RH-Firewall-1-INPUT (2 references)
>>> target     prot opt source               destination
>>> ACCEPT     tcp  --  anywhere             anywhere            tcp
>>> dpts:5900:6099
>>> ACCEPT     all  --  anywhere             anywhere
>>> ACCEPT     icmp --  anywhere             anywhere            icmp any
>>> ACCEPT     esp  --  anywhere             anywhere
>>> ACCEPT     ah   --  anywhere             anywhere
>>> ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
>>> ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
>>> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
>>> ACCEPT     udp  --  anywhere             anywhere            udp
>>> dpt:bootps
>>> ACCEPT     all  --  anywhere             anywhere            state
>>> RELATED,ESTABLISHED
>>> ACCEPT     udp  --  anywhere             anywhere            state NEW udp
>>> dpt:ha-cluster
>>> ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
>>> dpt:ssh
>>> ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
>>> dpt:http
>>> ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
>>> dpt:https
>>> REJECT     all  --  anywhere             anywhere            reject-with
>>> icmp-host-prohibited
>>> 
>>> Output of ip route on ssvm:
>>> 
>>> 204.13.152.2 via 46.136.128.1 dev eth1
>>> 10.2.0.0/24 dev eth3  proto kernel  scope link  src 10.2.0.189
>>> 123.123.123.0/24 dev eth1  proto kernel  scope link  src 123.123.123.9
>>> 111.111.111.0/24 dev eth2  proto kernel  scope link  src 111.111.111.18
>>> 169.254.0.0/16 dev eth0  proto kernel  scope link  src 169.254.2.83
>>> default via 46.136.132.1 dev eth2
>>> 
>>> On Wed, Jun 13, 2012 at 12:42 AM, Frank Zhang
>>> <Fr...@citrix.com>wrote:
>>> 
>>>> 
>>>> 
>>>>> Hi
>>>>> 
>>>>> We have following setup
>>>>> 
>>>>> management network(public IP range, 123.123.123.0/24) storage
>>>>> network(private IP range 10.2.0.0/24) public network(public IP range
>>>>> 111.111.111.0/24)
>>>>> 
>>>>> 1 CP
>>>>> 1 Nic on management network
>>>>> 1 Nic on storage network
>>>>> 
>>>>> 2*Host
>>>>> 1 Nic on management network
>>>>> 1 Nic on storage network
>>>>> 1 Nic on public network
>>>>> 
>>>>> 1 storage
>>>>> 1 Nic on management network
>>>>> 1 nic on storage network
>>>>> 
>>>>> Management server has an NFS share which mounted on the storage
>>>>> network as secondary storage.
>>>>> 
>>>>> So two questions:
>>>>> 
>>>>> 1. for the public network, there is no vlan setup, the IP is direct
>>>> routed to
>>>>> both host server(they are on access point), the question is, while I
>>>> config the
>>>>> public network and guest network, it always ask for vlan number,
>>>> which we
>>>>> don't have.
>>>> 
>>>> When you create zone, the vlan of public network is optional you should
>>>> be
>>>> able to
>>>> Safely ignore it. What's exact error you suffered?
>>>> 
>>>>> 
>>>>> 2. We saw "no route to the host" error in all the template, ISOs, in
>>>> which we
>>>>> can not create any instance on.
>>>>> 
>>>>> Please, if any one have good suggestion in this network setup, how
>>>> can we
>>>>> do it.
>>>> 
>>>> Do this:
>>>> 1. login your SSVM
>>>>      1.a go to the host where the SSVM is running
>>>>      1.b ssh -i  /root/.ssh/ id_rsa.cloud  -p 30922
>>>> link_local_ip_address
>>>>             The link local ip address can be grabbed from SSVM page on
>>>> UI which starts with 169
>>>>      1.c try to mount your secondary storage to somewhere in your SSVM
>>>>      1.d if 1.c won't work, check if you can mount secondary storage
>>>> on
>>>> the host where SSVM running. If failed, then it's your network issue
>>>>      1.e. if it works on your host, try to figure out any ip table
>>>> rules
>>>> in host blocking NFS traffic
>>>>      1.h check routes of SSVM by 'ip route', the traffic to secondary
>>>> storage should go thru storage network which is (private IP range
>>>> 10.2.0.0/24) in you case
>>>> 
>>>>> 
>>>>> --
>>>>> --
>>>>> Kind regards.
>>>>> Lu
>>>>> 
>>>>> This transmission is intended solely for the addressee(s) shown above.
>>>>> It may contain information that is privileged, confidential or
>>>> otherwise
>>>>> protected from disclosure. Any review, dissemination or use of this
>>>>> transmission or its contents by persons other than the intended
>>>> addressee(s)
>>>>> is strictly prohibited. If you have received this transmission in
>>>> error,
>>>> please
>>>>> notify this office immediately and e-mail the original at the sender's
>>>> address
>>>>> above by replying to this message and including the text of the
>>>> transmission
>>>>> received.
>>>> 
>>> 
>>> 
>>> 
>>> -- 
>>> --
>>> Kind regards.
>>> Lu
>>> 
>>> This transmission is intended solely for the addressee(s) shown above.
>>> It may contain information that is privileged, confidential or
>>> otherwise protected from disclosure. Any review, dissemination or use
>>> of this transmission or its contents by persons other than the
>>> intended addressee(s) is strictly prohibited. If you have received
>>> this transmission in error, please notify this office immediately and
>>> e-mail the original at the sender's address above by replying to this
>>> message and including the text of the transmission received.
>> 

Re: Config public network without VLAN(error:no route to the host)

[David Nalley <da...@gnsa.us>]

On Jun 12, 2012, at 7:09 PM, Chiradeep Vittal <Ch...@citrix.com> wrote:

> You might need to add the host ip of the web server where the templates
> are hosted to
> "secstorage.allowed.internal.sites" in the global configuration.

Why would lack of this result in no route to host. Firewall issues would die silently without that error. It isn't even trying. 


> 
> On 6/12/12 3:50 PM, "Lu Heng" <h....@anytimechinese.com> wrote:
> 
>> Hi
>> 
>> Thanks for reply
>> 
>> First, the SSVM can mount the secondary storage, and the ssvm-check.sh is
>> passed without error. the "no route to the host" problem still exsits.
>> 
>> second, what should we fill in the vlan in the public network setup while
>> the IP is simply in the access port?
>> 
>> and the iptable rule on the ssvm host:
>> Chain INPUT (policy ACCEPT)
>> target     prot opt source               destination
>> ACCEPT     gre  --  anywhere             anywhere
>> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
>> 
>> Chain FORWARD (policy ACCEPT)
>> target     prot opt source               destination
>> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
>> 
>> Chain OUTPUT (policy ACCEPT)
>> target     prot opt source               destination
>> 
>> Chain RH-Firewall-1-INPUT (2 references)
>> target     prot opt source               destination
>> ACCEPT     tcp  --  anywhere             anywhere            tcp
>> dpts:5900:6099
>> ACCEPT     all  --  anywhere             anywhere
>> ACCEPT     icmp --  anywhere             anywhere            icmp any
>> ACCEPT     esp  --  anywhere             anywhere
>> ACCEPT     ah   --  anywhere             anywhere
>> ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
>> ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
>> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
>> ACCEPT     udp  --  anywhere             anywhere            udp
>> dpt:bootps
>> ACCEPT     all  --  anywhere             anywhere            state
>> RELATED,ESTABLISHED
>> ACCEPT     udp  --  anywhere             anywhere            state NEW udp
>> dpt:ha-cluster
>> ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
>> dpt:ssh
>> ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
>> dpt:http
>> ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
>> dpt:https
>> REJECT     all  --  anywhere             anywhere            reject-with
>> icmp-host-prohibited
>> 
>> Output of ip route on ssvm:
>> 
>> 204.13.152.2 via 46.136.128.1 dev eth1
>> 10.2.0.0/24 dev eth3  proto kernel  scope link  src 10.2.0.189
>> 123.123.123.0/24 dev eth1  proto kernel  scope link  src 123.123.123.9
>> 111.111.111.0/24 dev eth2  proto kernel  scope link  src 111.111.111.18
>> 169.254.0.0/16 dev eth0  proto kernel  scope link  src 169.254.2.83
>> default via 46.136.132.1 dev eth2
>> 
>> On Wed, Jun 13, 2012 at 12:42 AM, Frank Zhang
>> <Fr...@citrix.com>wrote:
>> 
>>> 
>>> 
>>>> Hi
>>>> 
>>>> We have following setup
>>>> 
>>>> management network(public IP range, 123.123.123.0/24) storage
>>>> network(private IP range 10.2.0.0/24) public network(public IP range
>>>> 111.111.111.0/24)
>>>> 
>>>> 1 CP
>>>> 1 Nic on management network
>>>> 1 Nic on storage network
>>>> 
>>>> 2*Host
>>>> 1 Nic on management network
>>>> 1 Nic on storage network
>>>> 1 Nic on public network
>>>> 
>>>> 1 storage
>>>> 1 Nic on management network
>>>> 1 nic on storage network
>>>> 
>>>> Management server has an NFS share which mounted on the storage
>>>> network as secondary storage.
>>>> 
>>>> So two questions:
>>>> 
>>>> 1. for the public network, there is no vlan setup, the IP is direct
>>> routed to
>>>> both host server(they are on access point), the question is, while I
>>> config the
>>>> public network and guest network, it always ask for vlan number,
>>> which we
>>>> don't have.
>>> 
>>> When you create zone, the vlan of public network is optional you should
>>> be
>>> able to
>>> Safely ignore it. What's exact error you suffered?
>>> 
>>>> 
>>>> 2. We saw "no route to the host" error in all the template, ISOs, in
>>> which we
>>>> can not create any instance on.
>>>> 
>>>> Please, if any one have good suggestion in this network setup, how
>>> can we
>>>> do it.
>>> 
>>> Do this:
>>> 1. login your SSVM
>>>       1.a go to the host where the SSVM is running
>>>       1.b ssh -i  /root/.ssh/ id_rsa.cloud  -p 30922
>>> link_local_ip_address
>>>              The link local ip address can be grabbed from SSVM page on
>>> UI which starts with 169
>>>       1.c try to mount your secondary storage to somewhere in your SSVM
>>>       1.d if 1.c won't work, check if you can mount secondary storage
>>> on
>>> the host where SSVM running. If failed, then it's your network issue
>>>       1.e. if it works on your host, try to figure out any ip table
>>> rules
>>> in host blocking NFS traffic
>>>       1.h check routes of SSVM by 'ip route', the traffic to secondary
>>> storage should go thru storage network which is (private IP range
>>> 10.2.0.0/24) in you case
>>> 
>>>> 
>>>> --
>>>> --
>>>> Kind regards.
>>>> Lu
>>>> 
>>>> This transmission is intended solely for the addressee(s) shown above.
>>>> It may contain information that is privileged, confidential or
>>> otherwise
>>>> protected from disclosure. Any review, dissemination or use of this
>>>> transmission or its contents by persons other than the intended
>>> addressee(s)
>>>> is strictly prohibited. If you have received this transmission in
>>> error,
>>> please
>>>> notify this office immediately and e-mail the original at the sender's
>>> address
>>>> above by replying to this message and including the text of the
>>> transmission
>>>> received.
>>> 
>> 
>> 
>> 
>> -- 
>> --
>> Kind regards.
>> Lu
>> 
>> This transmission is intended solely for the addressee(s) shown above.
>> It may contain information that is privileged, confidential or
>> otherwise protected from disclosure. Any review, dissemination or use
>> of this transmission or its contents by persons other than the
>> intended addressee(s) is strictly prohibited. If you have received
>> this transmission in error, please notify this office immediately and
>> e-mail the original at the sender's address above by replying to this
>> message and including the text of the transmission received.
> 

Re: Config public network without VLAN(error:no route to the host)

[Chiradeep Vittal <Ch...@citrix.com>]

You might need to add the host ip of the web server where the templates
are hosted to
"secstorage.allowed.internal.sites" in the global configuration.

On 6/12/12 3:50 PM, "Lu Heng" <h....@anytimechinese.com> wrote:

>Hi
>
>Thanks for reply
>
>First, the SSVM can mount the secondary storage, and the ssvm-check.sh is
>passed without error. the "no route to the host" problem still exsits.
>
>second, what should we fill in the vlan in the public network setup while
>the IP is simply in the access port?
>
>and the iptable rule on the ssvm host:
>Chain INPUT (policy ACCEPT)
>target     prot opt source               destination
>ACCEPT     gre  --  anywhere             anywhere
>RH-Firewall-1-INPUT  all  --  anywhere             anywhere
>
>Chain FORWARD (policy ACCEPT)
>target     prot opt source               destination
>RH-Firewall-1-INPUT  all  --  anywhere             anywhere
>
>Chain OUTPUT (policy ACCEPT)
>target     prot opt source               destination
>
>Chain RH-Firewall-1-INPUT (2 references)
>target     prot opt source               destination
>ACCEPT     tcp  --  anywhere             anywhere            tcp
>dpts:5900:6099
>ACCEPT     all  --  anywhere             anywhere
>ACCEPT     icmp --  anywhere             anywhere            icmp any
>ACCEPT     esp  --  anywhere             anywhere
>ACCEPT     ah   --  anywhere             anywhere
>ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
>ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
>ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
>ACCEPT     udp  --  anywhere             anywhere            udp
>dpt:bootps
>ACCEPT     all  --  anywhere             anywhere            state
>RELATED,ESTABLISHED
>ACCEPT     udp  --  anywhere             anywhere            state NEW udp
>dpt:ha-cluster
>ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
>dpt:ssh
>ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
>dpt:http
>ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
>dpt:https
>REJECT     all  --  anywhere             anywhere            reject-with
>icmp-host-prohibited
>
>Output of ip route on ssvm:
>
>204.13.152.2 via 46.136.128.1 dev eth1
>10.2.0.0/24 dev eth3  proto kernel  scope link  src 10.2.0.189
>123.123.123.0/24 dev eth1  proto kernel  scope link  src 123.123.123.9
>111.111.111.0/24 dev eth2  proto kernel  scope link  src 111.111.111.18
>169.254.0.0/16 dev eth0  proto kernel  scope link  src 169.254.2.83
>default via 46.136.132.1 dev eth2
>
>On Wed, Jun 13, 2012 at 12:42 AM, Frank Zhang
><Fr...@citrix.com>wrote:
>
>>
>>
>> > Hi
>> >
>> > We have following setup
>> >
>> > management network(public IP range, 123.123.123.0/24) storage
>> > network(private IP range 10.2.0.0/24) public network(public IP range
>> > 111.111.111.0/24)
>> >
>> > 1 CP
>> > 1 Nic on management network
>> > 1 Nic on storage network
>> >
>> > 2*Host
>> > 1 Nic on management network
>> > 1 Nic on storage network
>> > 1 Nic on public network
>> >
>> > 1 storage
>> > 1 Nic on management network
>> > 1 nic on storage network
>> >
>> > Management server has an NFS share which mounted on the storage
>> > network as secondary storage.
>> >
>> > So two questions:
>> >
>> > 1. for the public network, there is no vlan setup, the IP is direct
>> routed to
>> > both host server(they are on access point), the question is, while I
>> config the
>> > public network and guest network, it always ask for vlan number,
>>which we
>> > don't have.
>>
>> When you create zone, the vlan of public network is optional you should
>>be
>> able to
>> Safely ignore it. What's exact error you suffered?
>>
>> >
>> > 2. We saw "no route to the host" error in all the template, ISOs, in
>> which we
>> > can not create any instance on.
>> >
>> > Please, if any one have good suggestion in this network setup, how
>>can we
>> > do it.
>>
>> Do this:
>> 1. login your SSVM
>>        1.a go to the host where the SSVM is running
>>        1.b ssh -i  /root/.ssh/ id_rsa.cloud  -p 30922
>>link_local_ip_address
>>               The link local ip address can be grabbed from SSVM page on
>> UI which starts with 169
>>        1.c try to mount your secondary storage to somewhere in your SSVM
>>        1.d if 1.c won't work, check if you can mount secondary storage
>>on
>> the host where SSVM running. If failed, then it's your network issue
>>        1.e. if it works on your host, try to figure out any ip table
>>rules
>> in host blocking NFS traffic
>>        1.h check routes of SSVM by 'ip route', the traffic to secondary
>> storage should go thru storage network which is (private IP range
>> 10.2.0.0/24) in you case
>>
>> >
>> > --
>> > --
>> > Kind regards.
>> > Lu
>> >
>> > This transmission is intended solely for the addressee(s) shown above.
>> > It may contain information that is privileged, confidential or
>>otherwise
>> > protected from disclosure. Any review, dissemination or use of this
>> > transmission or its contents by persons other than the intended
>> addressee(s)
>> > is strictly prohibited. If you have received this transmission in
>>error,
>> please
>> > notify this office immediately and e-mail the original at the sender's
>> address
>> > above by replying to this message and including the text of the
>> transmission
>> > received.
>>
>
>
>
>-- 
>--
>Kind regards.
>Lu
>
>This transmission is intended solely for the addressee(s) shown above.
>It may contain information that is privileged, confidential or
>otherwise protected from disclosure. Any review, dissemination or use
>of this transmission or its contents by persons other than the
>intended addressee(s) is strictly prohibited. If you have received
>this transmission in error, please notify this office immediately and
>e-mail the original at the sender's address above by replying to this
>message and including the text of the transmission received.

Re: Config public network without VLAN(error:no route to the host)

[Lu Heng <h....@anytimechinese.com>]

Hi

Thanks for reply

First, the SSVM can mount the secondary storage, and the ssvm-check.sh is
passed without error. the "no route to the host" problem still exsits.

second, what should we fill in the vlan in the public network setup while
the IP is simply in the access port?

and the iptable rule on the ssvm host:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     gre  --  anywhere             anywhere
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp
dpts:5900:6099
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            state NEW udp
dpt:ha-cluster
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
dpt:https
REJECT     all  --  anywhere             anywhere            reject-with
icmp-host-prohibited

Output of ip route on ssvm:

204.13.152.2 via 46.136.128.1 dev eth1
10.2.0.0/24 dev eth3  proto kernel  scope link  src 10.2.0.189
123.123.123.0/24 dev eth1  proto kernel  scope link  src 123.123.123.9
111.111.111.0/24 dev eth2  proto kernel  scope link  src 111.111.111.18
169.254.0.0/16 dev eth0  proto kernel  scope link  src 169.254.2.83
default via 46.136.132.1 dev eth2

On Wed, Jun 13, 2012 at 12:42 AM, Frank Zhang <Fr...@citrix.com>wrote:

>
>
> > Hi
> >
> > We have following setup
> >
> > management network(public IP range, 123.123.123.0/24) storage
> > network(private IP range 10.2.0.0/24) public network(public IP range
> > 111.111.111.0/24)
> >
> > 1 CP
> > 1 Nic on management network
> > 1 Nic on storage network
> >
> > 2*Host
> > 1 Nic on management network
> > 1 Nic on storage network
> > 1 Nic on public network
> >
> > 1 storage
> > 1 Nic on management network
> > 1 nic on storage network
> >
> > Management server has an NFS share which mounted on the storage
> > network as secondary storage.
> >
> > So two questions:
> >
> > 1. for the public network, there is no vlan setup, the IP is direct
> routed to
> > both host server(they are on access point), the question is, while I
> config the
> > public network and guest network, it always ask for vlan number, which we
> > don't have.
>
> When you create zone, the vlan of public network is optional you should be
> able to
> Safely ignore it. What's exact error you suffered?
>
> >
> > 2. We saw "no route to the host" error in all the template, ISOs, in
> which we
> > can not create any instance on.
> >
> > Please, if any one have good suggestion in this network setup, how can we
> > do it.
>
> Do this:
> 1. login your SSVM
>        1.a go to the host where the SSVM is running
>        1.b ssh -i  /root/.ssh/ id_rsa.cloud  -p 30922 link_local_ip_address
>               The link local ip address can be grabbed from SSVM page on
> UI which starts with 169
>        1.c try to mount your secondary storage to somewhere in your SSVM
>        1.d if 1.c won't work, check if you can mount secondary storage on
> the host where SSVM running. If failed, then it's your network issue
>        1.e. if it works on your host, try to figure out any ip table rules
> in host blocking NFS traffic
>        1.h check routes of SSVM by 'ip route', the traffic to secondary
> storage should go thru storage network which is (private IP range
> 10.2.0.0/24) in you case
>
> >
> > --
> > --
> > Kind regards.
> > Lu
> >
> > This transmission is intended solely for the addressee(s) shown above.
> > It may contain information that is privileged, confidential or otherwise
> > protected from disclosure. Any review, dissemination or use of this
> > transmission or its contents by persons other than the intended
> addressee(s)
> > is strictly prohibited. If you have received this transmission in error,
> please
> > notify this office immediately and e-mail the original at the sender's
> address
> > above by replying to this message and including the text of the
> transmission
> > received.
>



-- 
--
Kind regards.
Lu

This transmission is intended solely for the addressee(s) shown above.
It may contain information that is privileged, confidential or
otherwise protected from disclosure. Any review, dissemination or use
of this transmission or its contents by persons other than the
intended addressee(s) is strictly prohibited. If you have received
this transmission in error, please notify this office immediately and
e-mail the original at the sender's address above by replying to this
message and including the text of the transmission received.

RE: Config public network without VLAN(error:no route to the host)

[Frank Zhang <Fr...@citrix.com>]

> Hi
> 
> We have following setup
> 
> management network(public IP range, 123.123.123.0/24) storage
> network(private IP range 10.2.0.0/24) public network(public IP range
> 111.111.111.0/24)
> 
> 1 CP
> 1 Nic on management network
> 1 Nic on storage network
> 
> 2*Host
> 1 Nic on management network
> 1 Nic on storage network
> 1 Nic on public network
> 
> 1 storage
> 1 Nic on management network
> 1 nic on storage network
> 
> Management server has an NFS share which mounted on the storage
> network as secondary storage.
> 
> So two questions:
> 
> 1. for the public network, there is no vlan setup, the IP is direct routed to
> both host server(they are on access point), the question is, while I config the
> public network and guest network, it always ask for vlan number, which we
> don't have.

When you create zone, the vlan of public network is optional you should be able to 
Safely ignore it. What's exact error you suffered?

> 
> 2. We saw "no route to the host" error in all the template, ISOs, in which we
> can not create any instance on.
> 
> Please, if any one have good suggestion in this network setup, how can we
> do it.

Do this:
1. login your SSVM
	1.a go to the host where the SSVM is running
	1.b ssh -i  /root/.ssh/ id_rsa.cloud  -p 30922 link_local_ip_address 
	       The link local ip address can be grabbed from SSVM page on UI which starts with 169
	1.c try to mount your secondary storage to somewhere in your SSVM
	1.d if 1.c won't work, check if you can mount secondary storage on the host where SSVM running. If failed, then it's your network issue
	1.e. if it works on your host, try to figure out any ip table rules in host blocking NFS traffic
	1.h check routes of SSVM by 'ip route', the traffic to secondary storage should go thru storage network which is (private IP range 10.2.0.0/24) in you case

> 
> --
> --
> Kind regards.
> Lu
> 
> This transmission is intended solely for the addressee(s) shown above.
> It may contain information that is privileged, confidential or otherwise
> protected from disclosure. Any review, dissemination or use of this
> transmission or its contents by persons other than the intended addressee(s)
> is strictly prohibited. If you have received this transmission in error, please
> notify this office immediately and e-mail the original at the sender's address
> above by replying to this message and including the text of the transmission
> received.