Unable to view console of VM's through internet
How about checking if can resolve +(IP).realhostip.com+, use nslookup* or *host utility on your local desktop to check if you get IP address of your console proxy VM.
Radek.
I want to view my VM's from consoles through internet, but i cannot. I can view them when i am in my office i.e. connected through office LAN (cloud also exits in same network). I have access to the Management server over internet but i cant view the VM's in console.
Error in the console webpage :
The connection has timed out
The server at (IP).realhostip.com is taking too long to respond.
* The site could be temporarily unavailable or too busy. Try again in a few moments.
* If you are unable to load any pages, check your computer's network connection.
* If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the web
Try Again
How about checking if can resolve +(IP).realhostip.com+, use nslookup* or *host utility on your local desktop to check if you get IP address of your console proxy VM.
Radek.
I checked the below,
C:\>nslookup 192.168.0.xxx.realhostip.com
Server: dns1.myisp.net
Address: xxx.xxx.xxx.xxx - My ISPs DNS
*** dns1.myispt.net can't find 192.168.0.239.realhostip.com: Non-existent domain
Hello,
here are my 2 cent.
have you put any public ip's in your public network ?
as the default setting is, take a free IP put realhostip.com at the end of it..
So if you go to:
Intrstrucure->Zone->['the Zone name]->[The internet facing network]->configure->public->ip ranges.
are there typed som real public ip in here, if not please add your public IP.. :)
Kind regards
Gert
Dear Gert,
I am unable understand what you are trying to say. And also i guess i cannot find the path for adding public IPs in the UI.
Thanks
Hello shareef009,
Ok,
on the left side when you have logged in as admin there is a menu.
click on
Intrustrucure
click on
Zones
click on [your zone]
click on
physical network
Click on [your internetfacing network]
click on the ->configure<- on the public icon.
click on
ip ranges.
have you put your public ip ranges in here ?
You need to have some public ip addresses configures if you want to reach the console on the servers,
from the internet.
One more question
Are there any public IPs assigned to your netwok when wyou created it. ?
Look at the network menu on the left menu
click on your network
click on view ip addresses
Kind regards
Gert
Dear Gret,
I am unable to find the "Public Icon" there, kindly check the attached images.
In the Network form main left menu -
Name : geustNetworkforBasiczone, Account : empty , Type : Shared,VLAN : empty, CIDR: empty.
Thanks
Ahh,
You are using basic zone.. :)
I am afraid that I am not able to help you as I only have tried to install advanced zones..
But if you read
http://cloudstack.apache.org/docs/en-US/Apache_CloudStack/4.0.2/html/Installation_Guide/about-physical-networks.html
2.7.2. Basic Zone Network Traffic Types
It seems like you have not configured a public network, I am not sure if you can do this after you have configured your zone, you can do it by using API but gui ?
Perhaps Citrix can elaborate on this ?
Kind regards
Gert
Dear Gert,
I can see only three names under Network Service Providers,
1 ) NetScaler - Disabled
2 ) Virtual Router - Enabled
3 ) Security Groups - Enabled
By the way i am using CloudStack 3.0.2 Platform.
Thanks
Dear Radoslaw,
Any comments on my last post of what you suggested to do ?
Thanks
When you lookup an IP using realhostip.com, you need to use dashes, not dots:
ping 192-168-0-123.realhostip.com
That should return an IP address of 192.168.0.123:
PING 192-168-0-123.realhostip.com (-->192.168.0.123<--) 56(84) bytes of data.
(Note that the ping itself may not go through due to firewall/iptables rules - the important thing is that the name lookup should resolve).
K
Dear,
I got the below output,
C:/>nslookup 192-168-0-239.realhostip.com
Server : dns1.myisp.net
Address : xxx.xxx.xxx.xxx
Non-authoritative answer:
Name : 192-168-0-239.realhostip.com
Address : 192.168.0.239
Thanks n regards
Since you are using a basic zone, you will need to NAT the IP address for the console proxy so that it is accessible externally as well. So if the console proxy's IP address is 192.168.0.239, you'll need to expose that IP via NAT to the internet.
As an example, if you NAT'd the internal IP to 66.77.88.99 externally, you would need to open a firewall rule to access 66.77.88.99 on TCP port 443 inbound from the internet on your firewall in order to access the console proxy.
After you have configured the NAT and firewall rule, you can test from outside your LAN by running "telnet 66-77-88-99.realhostip.com 443", which should allow you to connect (obviously telnet is not supported, so all you should get is a handshake to show the port is open, nothing else).
If that is successful, your console proxy should be accessible externally.
K
Dear Kurt,
I have already applied the NAT with one Public IP for Console Proxy.
I am successfully able to telnet IP Of Console Proxy VM over 443 and also ConsoleIP.realhostip.com 443.
This is the error on the webpage : "The server at 192-168-0-239.realhostip.com is taking too long to respond."
Thanks and regards
Hello again,
192-168-0-239.realhostip.com is expecting the IP to be 192.168.0.239, this
means that you can use it from your internal network but not from the internet, as 192.168.0.239
it NOT routed on the internet.
explanation of realhost.com
https://cwiki.apache.org/CLOUDSTACK/role-of-realhostip-in-cloudstack.html
You need a Public IP in you configuration.
My understanding of how this work is.:
You have configured a pool of public IP addresses in your ZONE.
Then the console IP takes one of the public ip's from your zone.
when you try to connect to your console the CS issue a SSL sertificate matching the IP of your console.
you can have more thatn one console proxy thus needing more public ip addresses, one is added if the existing is overloaded.
But just to make sure, check the value of the public ip address of your Console proxy.
On the menu to the left.
click Intrastructure
click system VM
click on the name of your Console proxy
here you have the public ip address in the field called: Public IP Address
Now the should be a public IP address that means not in the range of
192.168.x.x
172.16-31.x.x
10.x.x.x
If you have an public ip in one of the above ranges then this means that you have configured your public addresses wrong (or you will have to make a 1-1 nat on each address and disable ssl...)
- can you post the firt decimal. i.e 12.x.x.x ?
But where you should change this i do not know - sorry.
you should also be aware of any firewall between the internet and the public interface as it should bridge traffic the the public interface and not route, and should allow all traffic as the firewall in CS will do the filtering.
Now there are 4 network traffic.
1 x management - net to manage cloudstack, routers etc.
1 x storage network - not needed, but can be used for storage
1 x public network - needed if you will be using the internet
1 x guest network - network for the VMs
Now as you stated before you do not have the public network configured, i think that you need to focus on this.
I read some place that you are not able to add network (by using gui) when the zone has been created, but you can use api ( this means that you need a programmer etc..)
Kind regards
Gert
Edited by: Gert Jensen on 04-09-2013 21:29
Hey Gert,
Thanks for the post, kindly don't mind, its going over my head this time.
When i check the properties of Console Proxy, i found that the Public IP is 192.168.0.239 and the Private IP is 192.168.0.243.
While configuring the CS Management Server, it requested me for two network ranges,
One for System VMs : 192.168.0.240-192.168.0.244/24 - i defined
Another for Guest VMs Network : 192.168.0.230-192.168.0.239/24 - i defined
My Management Server IP is 192.168.0.222/24 - NAT to Public IP (xxx.xxx.xxx.xx1)
Console Proxy IP is 192.168.0.239/24 - NAT to Public IP (xxx.xxx.xxx.xx2)
Both are accessible over internet.
Thanks and regards
Hello,
http://support.citrix.com/article/CTX133468
The only way this will work is.
You get a *.yourdomain.com certificate and install it on you management server, create the a record you selfe
so when you ping 192-168-0-239.yourdomain.com til will resolve to xxx.xxx.xxx.xx2 which is 1-2-1 nat to 192.168.0.239.
Then again if the system choose to create a second console proxy you will need to do it to that again with that ip addres, ......
:)
the change ssl part is the difficult one.. :)
Is it possible to remove the zone and create it again with real public ip addresses ?
If this is a test environment that would be the way to go.....
Kind regards
Gert
Edited by: Gert Jensen on 04-09-2013 22:40
Edited by: Gert Jensen on 04-09-2013 22:43
Hi Gert,
The link you gave is for CS 2.2, by the way is this only the option ?
I have no DNS server at all, but i have a domain to assign for it. So in this case do i need the DNS server for must ?
For changing the SSL, it is required to log in to the VM, but i don't know the credentials to log in to the System VM's.
Thanks and regards
Hi Gert,
Kindly find the steps for CS 3.0.0 - 3.0.5,
Changing the Console Proxy SSL Certificate and Domain
If the administrator prefers, it is possible for the URL of the customer's console session to show a domain other than realhostip.com. The administrator can customize the displayed domain by selecting a different domain and uploading a new SSL certificate and private key. The domain must run a DNS service that is capable of resolving queries for addresses of the form aaa-bbb-ccc-ddd.your.domain to an IPv4 IP address in the form aaa.bbb.ccc.ddd, for example, 202.8.44.1.
To change the console proxy domain, SSL certificate, and private key:
1. Set up dynamic name resolution or populate all possible DNS names in your public IP range into your existing DNS server with the format aaa-bbb-ccc-ddd.company.com -> aaa.bbb.ccc.ddd.
2. Generate the private key and certificate signing request (CSR). When you are using openssl to generate private/public key pairs and CSRs, for the private key that you are going to paste into the CloudStack UI, be sure to convert it into PKCS#8 format.
a. Generate a new 2048-bit private key. openssl genrsa -des3 -out yourprivate.key 2048
b. Generate a new certificate CSR. openssl req -new -key yourprivate.key -out yourcertificate.csr
3.0.0 – 3.0.2 Administration Guide
August 16, 2012 © 2011, 2012 Citrix Systems, Inc. All rights reserved. 113
c. Head to the website of your favorite trusted Certificate Authority, purchase an SSL certificate, and submit the CSR. You should receive a valid certificate in return.
d. Convert your private key format into PKCS#8 encrypted format. openssl pkcs8 -topk8 -in yourprivate.key -out yourprivate.pkcs8.encryped.key
e. Convert your PKCS#8 encrypted private key into the PKCS#8 format that is compliant with CloudStack. openssl pkcs8 -in yourprivate.pkcs8.encrypted.key -out yourprivate.pkcs8.key
3. In the Update SSL Certificate screen of the CloudStack UI, paste the following:
? Certificate from step 1©.
? Private key from step 1(e).
? The desired new domain name; for example, company.com.
4. Click Add to put the changes into effect.
This stops all currently running console proxy VMs, then restarts them with the new certificate and key. Users might notice a brief interruption in console availability.
The Management Server will generate URLs of the form "aaa-bbb-ccc-ddd.company.com" after this change is made. New console requests will be served with the new DNS domain name, certificate, and key.
Thanks and regards
Ask, Discuss, Answer