Unable to Ping Network Gateway From VM With Security Group Enabled
Problem
- Unable to Ping Network Gateway From VM With Security Group Enabled
$ ping <NETWORK_GATEWAY_IP>- This behaviour is observed when the security group attached does not have Ingress rule defined.
Environment
- Private Cloud Director Virtualization - v2025.4 and Higher
- Self-Hosted Private Cloud Director Virtualization – v2025.4 and Higher
- Component - Networking
Cause
- When using a security group, inbound rule in the Security Group is not defined to allow the incoming traffic.
Resolution
- To allow the incoming traffic for the Tenant Network Gateway IP, add the rule in the Security Group.
- Steps to add ingress rule in the security group
- Identify the security group UUID.
- Run the below command to add the ingress rule to allow all incoming traffic.
$ openstack security group rule create <SG_UUID> \ --protocol any \ --ethertype IPv4 \ --direction ingress \ --remote-ip 0.0.0.0/0Additional Information
- No additional action needs to be performed on the virtual machine or security group.
- Ingress Rule is required for the ping to be successful. Refer this Upstream Documentation.
- To understand Logical Tracing of the ONV Packet Flow, Refer this Upstream Documentation.
- To run
ovn-*commands on the hosts onboarded to PCD, execute below steps.
- Create an environment file
ovs-alias.rcas below
EXTERNAL_ID=$(sudo ovs-vsctl get open . external_ids:ovn-remote | awk -F: '{print $2}')export NBDB=tcp:${EXTERNAL_ID}:6641export SBDB=tcp:${EXTERNAL_ID}:6642alias ovn-sbctl="ovn-sbctl --db=$SBDB"alias ovn-nbctl="ovn-nbctl --db=$NBDB"alias ovn-trace="ovn-trace --db=$SBDB"- Export the rc file and start using the ovn commands;
x
$ source ovs-alias.rc$ ovn-nbctl ls-listovn commands can also be executed from inside the OVN North Bond Pod on the Management Cluster. Only Self-Hosted Private Cloud Director Virtualization users can run the below steps.
- Access the OVN North Bond Pod in the Management Cluster using the below command.
$ kubectl -n <REGION_NAMESPACE> exec -it <ovn-north-pod> -- bash --kubeconfig <PATH_TO_KUBECONFIG>- Run the below command to validate.
$ ovn-trace neutron-<SWITCH_UUID> 'inport=="<VM_NETWORK_PORT_ID>" && eth.src==<MAC_ADDR_OF_VM_PORT> && ip4.src==<SOURCE_IP> && ip4.dst==<Destination_IP> && icmp'Was this page helpful?