Search
Knowledge Base
2025.10
GENERIC
Networking
Storage
Compute
Designate
Orchestration
Self-Hosted
Install
UPGRADE
Monitoring
Add-Ons
Title
Message
Create new category
What is the title of your new category?
Edit page index title
What is the title of the page index?
Edit category
What is the new title of your category?
Edit link
What is the new title and URL of your link?
Unable to Ping Network Gateway From VM With Security Group Enabled
Summarize Page
Copy Markdown
Open in ChatGPT
Open in Claude
Problem
- Unable to Ping Network Gateway From VM With Security Group Enabled
Error
$ ping <NETWORK_GATEWAY_IP>- This behaviour is observed when the security group attached does not have Ingress rule defined.
Environment
- Private Cloud Director Virtualization - v2025.4 and Higher
- Self-Hosted Private Cloud Director Virtualization – v2025.4 and Higher
- Component - Networking
Cause
- When using a security group, inbound rule in the Security Group is not defined to allow the incoming traffic.
Resolution
- To allow the incoming traffic for the Tenant Network Gateway IP, add the rule in the Security Group.
- Steps to add ingress rule in the security group
- Identify the security group UUID.
- Run the below command to add the ingress rule to allow all incoming traffic.
Command
$ openstack security group rule create <SG_UUID> \ --protocol any \ --ethertype IPv4 \ --direction ingress \ --remote-ip 0.0.0.0/0Additional Information
- No additional action needs to be performed on the virtual machine or security group.
- Ingress Rule is required for the ping to be successful. Refer this Upstream Documentation.
- To understand Logical Tracing of the ONV Packet Flow, Refer this Upstream Documentation.
- To run
ovn-*commands on the hosts onboarded to PCD, execute below steps.
- Create an environment file
ovs-alias.rcas below
ovs-alias.rc
EXTERNAL_ID=$(sudo ovs-vsctl get open . external_ids:ovn-remote | awk -F: '{print $2}')export NBDB=tcp:${EXTERNAL_ID}:6641export SBDB=tcp:${EXTERNAL_ID}:6642alias ovn-sbctl="ovn-sbctl --db=$SBDB"alias ovn-nbctl="ovn-nbctl --db=$NBDB"alias ovn-trace="ovn-trace --db=$SBDB"- Export the rc file and start using the ovn commands;
Bash
​x
$ source ovs-alias.rc​$ ovn-nbctl ls-listovn commands can also be executed from inside the OVN North Bond Pod on the Management Cluster. Only Self-Hosted Private Cloud Director Virtualization users can run the below steps.
- Access the OVN North Bond Pod in the Management Cluster using the below command.
Bash
$ kubectl -n <REGION_NAMESPACE> exec -it <ovn-north-pod> -- bash --kubeconfig <PATH_TO_KUBECONFIG>- Run the below command to validate.
OVN North Pod Shell
$ ovn-trace neutron-<SWITCH_UUID> 'inport=="<VM_NETWORK_PORT_ID>" && eth.src==<MAC_ADDR_OF_VM_PORT> && ip4.src==<SOURCE_IP> && ip4.dst==<Destination_IP> && icmp'Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Last updated on
Was this page helpful?
Discard Changes
Do you want to discard your current changes and overwrite with the template?
Archive Synced Block
Message
Create new Template
What is this template's title?
Delete Template
Message