On 01/18/2011 12:47 PM, Joe Landman wrote:
> On 01/18/2011 12:41 PM, Gerry Reno wrote:
>
>> On secondary:
>>
>> # tcpdump -i eth0 'port 24007'
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
>> decode
>> listening on eth0, link-type EN10MB (Ethernet), capture size 96
>> bytes
>> ^C
>> 0 packets captured
>> 0 packets received by filter
>> 0 packets dropped by kernel
>
> This is the acid test. If no packets are getting between the units on
> this port, then something is firewalling them.
>
>>> and see if you can get anything when you telnet into that port?
>> On secondary:
>>
>> # telnet 10.XXX.58.95 24007
>> Trying 10.XXX.58.95...
>> Connected to 10.XXX.58.95.
>> Escape character is '^]'.
>
> Can you telnet into the secondary on this port from the primary,
On primary:
# telnet 10.XXX.58.95 24007
Trying 10.XXX.58.95...
telnet: Unable to connect to remote host: Connection timed out
> and let us know what you see when you tcpdump that port on the secondary
On secondary:
# tcpdump -i eth0 'port 24007'
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
>
> If you get a connection, and see no packets, then something is badly
> broken in assumptions about network connectivity.
>
> You shouldn't get a connected message if it didn't connect. tcpdump
> won't lie (as long as the options are correct).
>
Joe, thanks for the help. I agree something is firewalling the packets.
I added an explicit rule for this security group to allow access for
port 24007 to itself. (Shouldn't need this) and it worked.
ec2-authorize SECURITYGROUP -P tcp -p 24007-24019 -u AWS_USER_ID -o
SECURITYGROUP
GROUP SECURITYGROUP
PERMISSION SECURITYGROUP ALLOWS tcp 24007
24019 FROM USER AWS_USER_ID GRPNAME SECURITYGROUP
And now the probe is successful:
On primary:
# sudo gluster peer probe 10.XXX.58.95
Probe successful
So it appears the internal ec2 network is not open within the security
group. Maybe they just meant the internal network is open in the
'default' security group. Or they only tested it there.
Regards,
Gerry
