Unable to Ping Network Gateway From VM With Security Group Enabled

Problem

Unable to Ping Network Gateway From VM With Security Group Enabled

$ ping <NETWORK_GATEWAY_IP>

This behaviour is observed when the security group attached does not have Ingress rule defined.

Environment

Private Cloud Director Virtualization - v2025.4 and Higher
Self-Hosted Private Cloud Director Virtualization – v2025.4 and Higher
Component - Networking

Cause

When using a security group, inbound rule in the Security Group is not defined to allow the incoming traffic.

Resolution

To allow the incoming traffic for the Tenant Network Gateway IP, add the rule in the Security Group.
Steps to add ingress rule in the security group

Identify the security group UUID.
Run the below command to add the ingress rule to allow all incoming traffic.

$ openstack security group rule create <SG_UUID> \\
  --protocol any \\
  --ethertype IPv4 \\
  --direction ingress \\
  --remote-ip 0.0.0.0_0

Additional Information

No additional action needs to be performed on the virtual machine or security group.
Ingress Rule is required for the ping to be successful. Refer this Upstream Documentation.
To understand Logical Tracing of the ONV Packet Flow, Refer this Upstream Documentation.
To run ovn-* commands on the hosts onboarded to PCD, execute below steps.

Create an environment file ovs-alias.rc as below

EXTERNAL_ID=$(sudo ovs-vsctl get open . external_ids:ovn-remote | awk -F: '{print $2}')
export NBDB=tcp:${EXTERNAL_ID}:6641
export SBDB=tcp:${EXTERNAL_ID}:6642
alias ovn-sbctl="ovn-sbctl --db=$SBDB"
alias ovn-nbctl="ovn-nbctl --db=$NBDB"
alias ovn-trace="ovn-trace --db=$SBDB"

Export the rc file and start using the ovn commands;

$ source ovs-alias.rc

$ ovn-nbctl ls-list

ovn commands can also be executed from inside the OVN North Bond Pod on the Management Cluster. Only Self-Hosted Private Cloud Director Virtualization users can run the below steps.

Access the OVN North Bond Pod in the Management Cluster using the below command.

$ kubectl -n <REGION_NAMESPACE> exec -it <ovn-north-pod> -- bash --kubeconfig <PATH_TO_KUBECONFIG>

Run the below command to validate.

$ ovn-trace neutron-<SWITCH_UUID>  'inport=="<VM_NETWORK_PORT_ID>" && eth.src==<MAC_ADDR_OF_VM_PORT> && ip4.src==<SOURCE_IP> && ip4.dst==<Destination_IP> && icmp'

PreviousTenant Router Unreachable Due to Missing OVN Localnet Port on Provider Network NextNetwork MTU Description States Possible Values of 1280-9000, But MTU can only be set up to 1500

Last updated 1 month ago

Good afternoon

hashtagProblem

hashtagEnvironment

hashtagCause

hashtagResolution

hashtagAdditional Information

Problem

Environment

Cause

Resolution

Additional Information