Network in a Linux VM

This guide provides recommendations for troubleshooting network configuration issues on Linux VMs.

As an example, it is assumed that:

• a virtual machine has only one network interface;
• the problem of missing access to the virtual machine via SSH is being solved.

The described approaches can also be used when access is lost to another application (for example, NGINX web server) or when a virtual machine has multiple network interfaces.

• It is not possible to connect to a VM via SSH at its private IP address or floating IP address (if there is one).
• Some time ago there were no problems with the connection.

1. Perform a forced reboot.

   This operation can help if the VM is not responding or its network interface is initialized incorrectly:

   1. Stop VM.
   2. For a stopped VM run forced reboot.

   If this does not solve the problem, follow the remaining steps and proceed to diagnostics.

2. Make sure, that the VM is running.

3. Make sure,that you can access the virtual machine console and log in to it using a pre-configured login.

   If necessary, restore password for the login.

4. Get information about the configuration of the virtual machine network interface:

   1. Go to personal account VK Cloud.

   2. Select the project where the necessary VM is located.

   3. Go to Cloud Computing → Virtual machines.

   4. Click on the name of the desired VM.

   5. Go to the tab Networks.

   6. Write down the following network information:

      • network and subnet names;
      • gateway and subnet CIDR;
      • IP address: private and floating (if any);
      • MAC address;
      • Firewall settings (list of security groups).

      For example, the following values will be used:

      Parameter	Value
      Network name	demoNetwork
      Name of subnet	demoSubnet
      Gateway	10.0.0.1
      CIDR	10.0.0.0/24
      Private IP address	10.0.0.5
      Private IP address in combination with a prefix from CIDR	10.0.0.5/24
      Floating IP	192.0.2.22
      MAC address	fa:16:3e:aa:bb:cc
      Firewall settings	default

Sometimes the connection is hindered by incorrect initialization of the network interface of the virtual machine or its incorrect settings.

Check that the network interface is configured correctly:

1. Connect to the virtual machine console and log in.

2. Run the command:

   Copy
   ip link show

   Example output:

   Copy
   1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT                   group default qlen 1000    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:002: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode                   DEFAULT group default qlen 1000    link/ether fa:16:3e:aa:bb:cc brd ff:ff:ff:ff:ff:ff    altname enp0s3

   Find in the output of the command the name of the interface for which the link\ether parameter matches the MAC address received earlier. In this example, it will be ens3.

3. Execute the command by substituting the interface name received in the previous step into it:

   Copy
   ip address show ens3

   Example output:

   Copy
   2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000    link/ether fa:16:3e:aa:bb:cc brd ff:ff:ff:ff:ff:ff    altname enp0s3    inet 10.0.0.5/24 metric 100 brd 10.0.0.255 scope global dynamic ens3       valid_lft 603373sec preferred_lft 603373sec    inet6 fe80::f816:3eff:feb4:d70f/64 scope link       valid_lft forever preferred_lft forever

   The output should contain:

   • Interface status information: state UP.
   • The private IP address of the virtual machine, combined with the prefix /24 from the subnet CIDR, in the parameter inet (10.0.0.5/24).

4. Run the command:

   Copy
   ip route show default

   Example output:

   Copy
   default via 10.0.0.1 dev ens3 proto dhcp src 10.0.0.5 metric 100

   Make sure that the output contains:

   • Gateway IP address (via 10.0.0.1).
   • Interface name received earlier (dev ens3).
   • The private IP address of the virtual machine (src 10.0.0.5).

   If the output of the commands ip address show and ip route show contains the given information, then the network interface settings are correct. Go to application verification.

   If the output of the commands ip address show and ip route show if it does not contain the above information, then the network interface settings are incorrect.

5. Configure the network interface manually:

   Ubuntu

   Debian

   AlmaLinux, CentOS

   openSUSE

   1. Edit the file /etc/netplan/50-cloud-init.yaml and bring it to the following form:

      Copy
      network:    ethernets:        ens3: # Interface name            dhcp4: false            addresses:                - 10.0.0.5/24 # Private IP address + prefix from CIDR            routes:                - to: 0.0.0.0/0                  via: 10.0.0.1 # Gateway address            nameservers:                addresses:                    - 5.61.237.120                    - 5.61.237.127            match:                macaddress: fa:16:3e:aa:bb:cc # MAC address            set-name: ens3    version: 2

      If necessary, specify other DNS servers in the parameter networks.ethernets.ens3.nameservers.addresses.

   2. Run the command:

      Copy
      sudo netplan apply

6. Prohibit making automatic changes to the edited configuration file:

   Copy
   echo 'network: {config: disabled}' | sudo tee /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg

7. Check for SSH access to the VM. If access does not appear, go to the application check.

The network interface may be fine, but applications and services may not be running or running on a non-standard port.

Check the SSH operation:

1. Connect to the virtual machine console and log in.

2. Run the command:

   Copy
   sudo systemctl status ssh

   By the output of the command, determine whether the service is running:

   • Active: active (running): SSH service is running.
   • Active: inactive (dead): SSH service is not running.

3. Depending on the SSH service status, follow these steps:

   If SSH service is running

   If SSH service is not running

   1. Determine which port the SSH service is running on:

      Copy
      sudo cat /etc/ssh/sshd_config | grep -w Port

      The output will contain the port number:

      Copy
      Port 22

      If the service is running on a standard port 22 — go to checking the settings of the VM firewall. Otherwise, proceed to the next step.

   2. Connect using a non-standard port number. For example, if the SSH service is running on a port 222:

      Copy
      ssh -i /path/to/private_key_file username@192.0.2.22 -p 222

   3. Check for SSH access to the VM. If access has not appeared, proceed to checking the settings of the VM firewall.

If a firewall is configured on a virtual machine (for example, iptables, ufw, firewalld), it may prevent connection, even if the IP address of the virtual machine is correct, and the SSH service is configured and running.

Next, it will be shown how to temporarily disable all firewall rules, allowing all traffic. This will help to make sure that the problem is in the firewall.

To check the firewall settings:

1. Connect to the virtual machine console and log in.

2. Disable the firewall:

   ufw

   firewalld

   iptables

   Copy
   sudo ufw disable

3. Check for SSH access to the VM.

   If access has appeared, adjust the firewall rules and enable it again.

   If access does not appear, turn on the firewall again and check the settings of the VK Cloud firewall security groups.

To turn on the firewall again:

1. Connect to the virtual machine console and log in.

2. Run the command:

   ufw

   firewalld

   iptables

   Copy
   sudo ufw enable

Incorrectly configured security groups can prevent SSH connection, even if there are no obstacles at the VM level.

Next, it will be shown how to temporarily configure the firewall rules so as to allow all traffic. This will help to make sure that the problem is in the firewall.

To check the firewall settings:

1. Go to personal account VK Cloud.

2. Select the project where the necessary VM is located.

3. Go to Cloud Computing → Virtual machines.

4. Click on the name of the desired VM.

5. Go to the tab Networks.

6. Expand the menu of the desired network connection and select Edit connection.

7. In the Firewall settings parameter:

   1. Delete all selected security groups.

   2. Select security groups from the drop-down list default and all («All allowed»).

      The default security group allows any outgoing traffic. The all security group allows any incoming traffic.

8. Click the Save button.

9. Check for SSH access to the VM.

   If access has appeared, adjust the firewall security groups and add them again instead of the all group.

   If access does not appear, go back to the original firewall settings and contact technical support.

To configure firewall rules again:

1. Go to personal account VK Cloud.

2. Select the project where the necessary VM is located.

3. Go to Cloud Computing → Virtual machines.

4. Click on the name of the desired VM.

5. Go to the tab Networks.

6. Expand the menu of the desired network connection and select Edit connection.

7. In the Firewall settings parameter:

   1. Delete the security group all.

   2. Select the necessary security groups from the drop-down list.

      If the selected security groups do not contain rules that allow outgoing traffic, also select the default security group. This group allows outgoing traffic. Otherwise, the virtual machine will not have access to the network.

If the diagnostics did not help in solving the problem, contact technical support, by providing the information obtained during the diagnosis.