Hi Deepthi, Can you check the routes the ssvm. On which interface the default route is set ?
Thanks, Jayapal > -----Original Message----- > From: Deepti Dohare [mailto:deepti.doh...@citrix.com] > Sent: Thursday, February 28, 2013 3:22 PM > To: cloudstack-dev@incubator.apache.org > Subject: Copy template/ISO across zones is failing > > Hi, > I am investigating the issue > https://issues.apache.org/jira/browse/CLOUDSTACK-1337, copy > template/Iso across zones is failing in branch 4.1, giving the error "HTTP > Server returned 403 (expected 200 OK)" and there is a workaround > mentioned in > https://cwiki.apache.org/confluence/display/CLOUDSTACK/SSVM%2C+temp > lates%2C+Secondary+storage+troubleshooting > > The iptable rules in the destination as well as source ssvm: > root@s-9-VM:~# iptables -S > -P INPUT DROP > -P FORWARD DROP > -P OUTPUT ACCEPT > -N HTTP > -A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A > INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A > INPUT -i eth1 -p tcp -m state --state NEW -m tcp --dport 3922 -j ACCEPT -A > INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i > eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth2 -m > state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth3 -m state -- > state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p > icmp -m icmp --icmp-type 13 -j DROP -A INPUT -p icmp -j ACCEPT -A INPUT -i > eth0 -p tcp -m state --state NEW -m tcp --dport 3922 -j ACCEPT -A OUTPUT -o > eth1 -p tcp -m state --state NEW -m tcp --dport 80 -j REJECT --reject-with > icmp-port-unreachable -A OUTPUT -o eth1 -p tcp -m state --state NEW -m > tcp --dport 443 -j REJECT --reject-with icmp-port-unreachable > > I removed the last rule "-A OUTPUT -o eth1 -p tcp -m state --state NEW -m > tcp --dport 443 -j REJECT --reject-with icmp-port-unreachable" which is > blocking outgoing on 443 port and also modified .htaccess to > > Options -Indexes > order deny,allow > #deny from all > allow from 10.102.193.95 > > Copy template worked after this modification. > The rule seems valid to me i.e. "-A OUTPUT -o eth1 -p tcp -m state --state > NEW -m tcp --dport 443 -j REJECT --reject-with icmp-port-unreachable" but > copy template is not happening until I remove this rule. Also, removing > "deny from all" is a security threat. > > I also noticed eth1 RX bytes was increasing during copy template, which > possibly means it is using eth1 port. > > Previously my understanding was, Copy template happens on eth2 port, but > from the above, it seems eth1 is getting used. > Can someone confirm this behavior? > > Also, What should be the right approach to fix this issue? > > Regards > Deepti