Troubleshooting Google Compute Engine Network Firewall VPN - google-compute-engine

How can I troubleshoot GCE firewall issues? We're running some GCE servers and connecting to a non-google network via ipsec using google beta vpn service (although I had the same problem with GCE and my own StrongSwan instance in the past and could never fix it there either).
I'm trying to connect to 192.168.4.176 (a linux box with no firewall running) and I'm pretty sure google is blocking the traffic. The VPN is fine. I can ping 192.168.4.180. But I can't ping 192.168.4.176. And nc 192.168.4.176 22 just times out.
I can run a SSL VPN from a gce instance and can ping 192.168.4.176 without issue.
Here's a screenshot of the GCE network. I also tried routes/firewall rules with 192.168.4.1/24 but those didn't work either for connecting to .176 but .180 was fine. Any ideas on what to try?
Here are the gce network details
Here's the gce vpn screen
Here's the gce vpn detail screen
And from the remote network I can ping my 10.x gce instances from 192.168.4.180 (which I should since I'm allowing that). But I can't ping any gce 10.x addresses from 192.168.4.176 (which I interpret that the google firewall is blocking the traffic even though I have it configured to let it through).

can you confirm that the secret key for the .176 VPN is correctly configured on both ends?
the firewall rule for .176 VPN - is that added in GCE firewall section, mapping the right network where the VPN tunnel was created.
Does the VPN UI status show a Green tick mark for both the tunnels?
You could also View VPN Logs from GCP UI : from the UI Console,left menu Monitoring -> Logs, and then select "Compute Engine"-> "targetVPNgateway" and select the tunnels and "ipsec_events" dropdown. Check the log when you access the .176 VPN to observe the likely packet flow.

Related

VM Instances on Google Cloud

I have created a VM instances on Google cloud and i want to access it from WAN. I try type address in address bar but it say server down. I can remote desktop to my window instance but cannot access it in browser.
What is the problems? How to solve it?
You can access linux instances with SSH and windows instances using remote desktop. More details can be found in the google cloud documentation here.
Update:
If you want to enable http access to your website then you need to
1) Make sure you are trying to connect to correct external ip address. Your server will either have a static or Ephemeral ip address. Ephemeral ip address changes every time you reboot your server. Static ip doesn't change, but it is not free. More details here.
2) Make sure you enabled http access in your firewall settings. (Maybe you forgot to check this option when you are creating your virtual machine?) To set the firewall settings go to Networking -> vpc network -> firewall rules

Cannot access Google Cloud Compute Instance External IP

I have set up an Google Cloud Compute Instance:
Machine type
n1-standard-1 (1 vCPU, 3.75 GB memory)
CPU platform
Intel Haswell
Zone
us-east1-c
I can ssh in using the external address.
I have installed the vncserver and can access it on port 5901 from localhost as well as the internal IP.
I am trying to access it from the static, external IP address but it is not working.
I have configured the firewall to open to port to 0.0.0.0/0, but it is not reachable.
Can anyone help?
------after further investigation from the tips from the two answers (thanks, both!), I have a partial answer:
The Google Cloud Compute instance was set, by default, to not allow
HTTP traffic. I reset the configuration to allow HTTP traffic. I
then tried the troubleshooting tip to run a small HTTP service in
python. I was able to get a ressponse from the service over the
internet.
The summary of the current situation is as follows:
The external IP address can be reached
It is enabled and working for SSH
It is enabled and working for HTTP
It does not seem to allow traffic from vncserver
Any idea how to configure the compute instance to allow for vncserver traffic?
If you already verified that Google Firewall or your VM are not blocking packets, you must make sure that VNC service is configured to listen on the external IP address.
You can always use a utility like nmap outside Google project to reveal information on the port status.
enable http/https traffic form the firewall as per the need. it will work!!
The Google Cloud Compute instance was set, by default, to not allow HTTP traffic. I reset the configuration to allow HTTP traffic. I then tried the troubleshooting tip to run a small HTTP service in python. I was able to get a response from the service over the internet.
As such, the original question is answered, I can access Google Cloud Compute Instance External IP. My wider issue is still not solved, but I will post a new, more specific question about this issue
TLDR: make sure you are requesting http not https
In my case i was following the link from my CE instance's External Ip property which takes you directly to the https version and i didn't set up https, so that was causing the 'site not found' error.
Create an entry in your local ssh config file as below with mentioned local forward port. In my case its an example of yarn's IP, which I want to access in browser.
Host hadoop
HostName <External-IP>
User <Local-machine-username>
IdentityFile ~/.ssh/<private-key-for-above-user>
LocalForward 8089 <Internal-IP>:8088
In addition to having the firewall rules to allow HTTP traffic in both Google Cloud Platform and within the OS of the instance, make sure you install a web server such as Apache or Nginx.
After installing the web server, you connect to the instance using SSH and verify you do not get a failed connection with the following command:
$ sudo wget http://localhost
If the connection is positive, it means that you can access your external URL:
http://<IP-EXTERNAL-VM>
Usually there are two main things to check.
1. Port
By default, only port 80, 443 and ICMP are exposed. If your server is running on a different port, create a record for the same.
2. Firewall
Make sure you are allowing http and https traffic based on your need.
oua re
For me the problem was that I set up the traffic for the firewall rule to be 'Egress' instead of 'Ingress'.
If anyone already initiated 'https'
just disable it and check again.

WinSCP to google cloud

I have google cloud compute engine instance. I'm trying to connect using winSCP. I followed the steps by https://cloud.google.com/compute/docs/instances/connecting-to-instance
It is stating "Connection Timed out error" What should be the cause. Should I need to open firewall in google cloud? But it doesn't shown in the instruction.
Yes, you should have a GCE firewall rule added for SSH protocol to allow this traffic to the VM instances that you want to connect. This is a quote from this article:
Each network has its own firewall controlling access to the instances.
All traffic to instances, even from other instances, is blocked by the
firewall unless firewall rules are created to allow it.
The default network has automatically created firewall rules, which
are shown below. No manually created network of any type has
automatically created firewall rules. For all networks except the
default network, you must create any firewall rules you need.
Firewall rules are only "allow" rules. You cannot create "deny" rules.
If you need to restrict traffic from reaching certain instances,
create rules that allow traffic to the other instances, then remove
the firewall rule that allowed traffic to all of the instances.
The firewall rules automatically created for the default network are
as follows:
default-allow-internal
Allows network connections of any protocol and
port between instances on the network.
default-allow-ssh
Allows SSH connections from any source to any instance on the network over > TCP port 22.
default-allow-rdp
Allows RDP connections from any source to any instance on the network over > TCP port 3389.
default-allow-icmp
Allows ICMP traffic from any source to any instance on the network.

GCE VM instance no longer able to do outbound requests

I have a Ubuntu(14.04) VM instance that I can SSH into. It has no iptable rules and ufw disabled. Other VMs in the network are accessible. Outbound requests are timing out. Restarting the VM didn't work.
tl;dr I can't ping google.com from a VM.
Any ideas or suggestions?
Removing the external IP will make the VM unable to make outbound requests. The effect is not immediate.

Unable to rdp into Amazon EC2 instance

I have spun up a micro instance of windows 2008 r2 server with sql server and iis installed.
My security group has three inbound rules:
rdp tcp: 3389 0.0.0.0/0
mssql tcp:1433 0.0.0.0/0
http tcp:80 0.0.0.0/0
outbound is all traffic 0.0.0.0/0
I can rdp into other instances which are on a private cloud which is openstack in my college.
I followed the instructions, de-crypt the password after downloading the pem file. I get an error saying i cannot connect. I used this website: http://www.mynetworktest.com/ports.php to check if the 3389 port was open on my ec2 instance; it says it is not. I tried changing security groups but does not make a difference. The only discrepancy i could determine is when i set up the instance. I have to set 'Auto Assign Public IP' to enable in order to get a public ip address; something which the amazon docs does not clarify.
Am out of ideas, Any help appreciated
It happened to me and this is how I resolved it.
It is likely your windows firewall is restricting incoming RDP traffic. First disable windows firewall totally. If you are able to connect after disabling the firewall, then firewall rules are the issue. Enable firewall and edit firewall rules to allow incoming RDP traffic.
for windows and linux servers check for 2 things to make the remote or ssh working
check for the firewall/iptables
check for the security groups or ports open to what destination.
check for the services and user groups open for communication
check the service.