oVirt can't communicate with vSphere
Trying to get my ovirt cluster connected to my vSphere cluster to import my guests. When trying to connect, I get: "VDSM ovirt1 command GetVmsNamesFromExternalProviderVDS failed: internal error: curl_easy_perform() returned an error: Couldn't connect to server (7) : Failed connect to 10.0.0.55:443; Connection timed out" ovirt1 node (192.168.1.195) is at location A while vSphere (10.0.0.55) is at location B. I added a static route on ovirt1 for 10.0.0.0/8 via 192.168.1.13, which has a VPN connection back to 10.0.0.0/8. ICMP from ovirt1 gets through just fine, but any other traffic never leaves ovirt1 (ie: 443 traffic never arrives at 1.13). I'm assuming there's some firewall rule somewhere, blocking anything other than outbound ICMP, but I have been unable to find it. Any suggestions?
On Wed, Jan 30, 2019 at 9:59 PM Benjamin Selinger <blistovmhz@gmail.com> wrote:
Trying to get my ovirt cluster connected to my vSphere cluster to import my guests. When trying to connect, I get: "VDSM ovirt1 command GetVmsNamesFromExternalProviderVDS failed: internal error: curl_easy_perform() returned an error: Couldn't connect to server (7) : Failed connect to 10.0.0.55:443; Connection timed out"
ovirt1 node (192.168.1.195) is at location A while vSphere (10.0.0.55) is at location B. I added a static route on ovirt1 for 10.0.0.0/8 via 192.168.1.13, which has a VPN connection back to 10.0.0.0/8. ICMP from ovirt1 gets through just fine, but any other traffic never leaves ovirt1 (ie: 443 traffic never arrives at 1.13).
I'm assuming there's some firewall rule somewhere, blocking anything other than outbound ICMP, but I have been unable to find it. Any suggestions?
Maybe manually connect (with netcat or telnet) to port 443 on B? Does this work? If not, debug until it works, then try again. If you can, you can try sniffing both interfaces of the vpn gateway, to try and see what traffic does get through and what fails, in addition to sniffing the end points. Did you add a route to B? You might need one as well. (Also changing the subject) Good luck and best regards, -- Didi
No. As I said, ICMP is routed through correctly without any issue. The routing is correct, and the machine at 1.13 is definitely forwarding requests correctly. I've tested from another machine on my LAN, same setup except not running Centos/ovirt and it's got no problem with communication. Telnet from 1.195 never leaves the node, and never hits 1.13. I can successfully hit the 10.0.0.0/8 network from any other machine on my network. I reinstalled the cluster (for various reasons) yesterday, using the ovirt-node installer, and same issue. I dunno if I'm just derping out, but I can't see where it's being blocked.
On Sat, Feb 2, 2019 at 7:34 PM Benjamin Selinger <blistovmhz@gmail.com> wrote:
No. As I said, ICMP is routed through correctly without any issue. The routing is correct, and the machine at 1.13 is definitely forwarding requests correctly. I've tested from another machine on my LAN, same setup except not running Centos/ovirt and it's got no problem with communication. Telnet from 1.195 never leaves the node,
As in, does not reach the gateway/vpn? Did you sniff traffic on the node and the gateway to verify? Please check/share iptables/firewalld config on the node, if you suspect that it's blocking outgoing traffic (but I do not think ovirt-node ever does this by default). IMO it should not be hard to make iptables on the node log all blocks, but I didn't try this recently (or at all, with firewalld).
and never hits 1.13. I can successfully hit the 10.0.0.0/8 network from any other machine on my network.
I reinstalled the cluster (for various reasons) yesterday, using the ovirt-node installer, and same issue. I dunno if I'm just derping out, but I can't see where it's being blocked.
I'd suggest to sniff traffic in all relevant places and try to identify the box that does not forward correctly. Then we can start diagnosing why it does not. Best regards, -- Didi
participants (2)
-
Benjamin Selinger -
Yedidyah Bar David