Fresh 4.4 install -- Can SSH, no Web interface (

[100percentjake]

I'm setting up a cluster using some old Gen 5 Intel and Gen 2 AMD HPE servers (yes, I know, old stuff) running the latest version of Proxmox installed via CD. All have working RAID, network, etc. They're all in a VLAN managed by a cisco switch. I set the IP addresses, domain, etc. in the installation wizard and once the installation completed I was able to SSH into each server and ping out as well as ping the other servers, as well as ping and SSH the servers from my desktop (on the same network). The problem is, the web interface https://*ip*:8006 is timing out. I can get to it via Lynx on the servers, so whatever HTTPd runs the web service is working, but I can't get to it from any external device so I can't do any configuration. I have tried:

• Proxying my machine so it appears on the same subnet
• Using the command-line to cluster the computers together (some have said this will "slap" proxmox into working properly)
• Rebooting. And rebooting. And rebooting.
• Verifying the pveproxy daemon is running
• Ensuring that I am using https:// and port 8006
• Different browsers, clearing cache, etc. (Chrome, IE, Edge)

I'm utterly baffled. Since I can SSH into the machines and SSH out of the machines and ping to my heart's content it doesn't seem to reasonably be a network mis-configuration, nothing particularly unusual about my setup, and it's a fresh install on all three machines. All other threads either seem to be not quite the same issue (e.g. can't SSH either, turns out to be firewall, or had a web config that was working and then broke because a service stopped running, etc.) and most documentation seems to be for older versions of Proxmox (honestly the Wiki is one of the worst docs I've ever encountered in this regard).

Here's some possibly-relevant config data:

root@px1:~# cat /etc/network/interfaces
auto lo
iface lo inet loopback

auto vmbr0
iface vmbr0 inet static
        address 10.10.30.221
        netmask 255.255.255.0
        gateway 10.10.30.1
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0
root@px1:~# cat /etc/udev/rules.d/70-persistent-net.rules

# PCI device 0x14e4:0x165a (tg3)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:21:5a:50:bf:43", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"
# This file was automatically generated by the /lib/udev/write_net_rules
# program, run by the persistent-net-generator.rules rules file.
#
# You can modify it, as long as you keep each rule on a single
# line, and change only the value of the NAME= key.

# PCI device 0x8086:0x107d (e1000e)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="68:05:ca:16:e1:66", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="eth1"
root@px1:~# dmesg | grep eth
[   13.710315] tg3 0000:07:00.0 eth0: Tigon3 [partno(N/A) rev a200] (PCI Express) MAC address 00:21:5a:50:bf:43
[   13.710321] tg3 0000:07:00.0 eth0: attached PHY is 5722/5756 (10/100/1000Base-T Ethernet) (WireSpeed[1], EEE[0])
[   13.710324] tg3 0000:07:00.0 eth0: RXcsums[1] LinkChgREG[0] MIirq[0] ASF[0] TSOcap[1]
[   13.710326] tg3 0000:07:00.0 eth0: dma_rwctrl[76180000] dma_mask[64-bit]
[   13.848333] e1000e 0000:06:00.0 eth1: (PCI Express:2.5GT/s:Width x1) 68:05:ca:16:e1:66
[   13.848336] e1000e 0000:06:00.0 eth1: Intel(R) PRO/1000 Network Connection
[   13.848415] e1000e 0000:06:00.0 eth1: MAC: 1, PHY: 4, PBA No: D50861-009
[   18.175161] device eth0 entered promiscuous mode
[   21.435149] tg3 0000:07:00.0 eth0: Link is up at 1000 Mbps, full duplex
[   21.435158] tg3 0000:07:00.0 eth0: Flow control is on for TX and on for RX
[   21.435180] vmbr0: port 1(eth0) entered forwarding state
[   21.435196] vmbr0: port 1(eth0) entered forwarding state
root@px1:~# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:21:5a:50:bf:43
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3439773 errors:0 dropped:1 overruns:0 frame:0
          TX packets:3344779 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:587534549 (560.3 MiB)  TX bytes:597975152 (570.2 MiB)
          Interrupt:17

eth1      Link encap:Ethernet  HWaddr 68:05:ca:16:e1:66
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:16 Memory:fcee0000-fcf00000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:80 errors:0 dropped:0 overruns:0 frame:0
          TX packets:80 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:15638 (15.2 KiB)  TX bytes:15638 (15.2 KiB)

vmbr0     Link encap:Ethernet  HWaddr 00:21:5a:50:bf:43
          inet addr:10.10.30.221  Bcast:10.10.30.255  Mask:255.255.255.0
          inet6 addr: fe80::221:5aff:fe50:bf43/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3428941 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3344813 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:524660069 (500.3 MiB)  TX bytes:584389602 (557.3 MiB)

root@px1:~#

Thanks,
Jake

 

[Denny]

Have you tried doing something like this

 ssh -L 8006:10.110.30.221:8006 root@10.10.30.221

which will portforward port 8006 on the proxmox host to your local machine. Then you can access the web interface via https://localhost:8006 in your browser.

If that fails try running :

ss -lt |grep 8006

and report the results back here

I'm setting up a cluster using some old Gen 5 Intel and Gen 2 AMD HPE servers (yes, I know, old stuff) running the latest version of Proxmox installed via CD. All have working RAID, network, etc. They're all in a VLAN managed by a cisco switch. I set the IP addresses, domain, etc. in the installation wizard and once the installation completed I was able to SSH into each server and ping out as well as ping the other servers, as well as ping and SSH the servers from my desktop (on the same network). The problem is, the web interface https://*ip*:8006 is timing out. I can get to it via Lynx on the servers, so whatever HTTPd runs the web service is working, but I can't get to it from any external device so I can't do any configuration. I have tried:

• Proxying my machine so it appears on the same subnet
• Using the command-line to cluster the computers together (some have said this will "slap" proxmox into working properly)
• Rebooting. And rebooting. And rebooting.
• Verifying the pveproxy daemon is running
• Ensuring that I am using https:// and port 8006
• Different browsers, clearing cache, etc. (Chrome, IE, Edge)

I'm utterly baffled. Since I can SSH into the machines and SSH out of the machines and ping to my heart's content it doesn't seem to reasonably be a network mis-configuration, nothing particularly unusual about my setup, and it's a fresh install on all three machines. All other threads either seem to be not quite the same issue (e.g. can't SSH either, turns out to be firewall, or had a web config that was working and then broke because a service stopped running, etc.) and most documentation seems to be for older versions of Proxmox (honestly the Wiki is one of the worst docs I've ever encountered in this regard).

Here's some possibly-relevant config data:



Thanks,
Jake

 

[dmora]

Sounds like you have a port filter going on in between you and the proxmox host.
Run an nmap from the source computer to port 8006( nmap -p 8006 ${proxmox_host}), see if it shows as open. At the same time run a tcpdump on the proxmox host and see if you can capture packets hitting port 8006.

Sounds like a network issue...most people are just retarded and just try to go to http://${proxmox_host}, instead of httpS://${proxmox_host}:8006 and cry about how they can't get to the web interface, you seem to be on the right trace here, and proxmox by default has no firewall enabled so I'm thinking its something with your network.

Simple test, plug your laptop directly into the hosts vmbr0. Then try to access the web interface, that'll tell you right there where the issue lies.

 

[100percentjake]

@Denny thanks for the reply. Is that ssh command meant to be run on the server itself or from a linux CLI on my workstation?

The output from ss -lt|grep 8006 is:

LISTEN     0      128        *:8006                     *:*

@dmora nmap shows

Starting Nmap 7.40 ( https://nmap.org ) at 2017-01-05 10:29 Central Standard Time

Nmap scan report for 10.10.30.221

Host is up (0.00s latency).

PORT     STATE    SERVICE

8006/tcp filtered unknown



Nmap done: 1 IP address (1 host up) scanned in 9.41 seconds

So it does look like there is some kind of router that is causing me grief. Annoyingly the network is so complex and antiquated that neither I or the owner can remember what everything does or what device could possibly be blocking port 8006. I logged into what was, I thought, the main router (a mikrotik device) and set an exclusion for port 8006 that would go above any other routing rules. I just now got my laptop in today so I shall likely be heading over to the datacenter later this afternoon to try plugging directly in.

Is there any easy way to change the port that the web interface runs on? When this is eventually set up there will be a completely different network for public-facing stuff and an internal-only network for admin, so I wouldn't imagine it being a security risk to run the admin console on standard HTTP/S ports.

Thanks,
Jake

 

[Denny]

@100percentjake
It is meant to be run from your workstation. Let me know if you are running from a Windows box. I can provide instructions on how to do the equivalent with putty. It is still possible there is a an asymmetric route issue going on but tunneling in will get you going.

@Denny thanks for the reply. Is that ssh command meant to be run on the server itself or from a linux CLI on my workstation?

The output from ss -lt|grep 8006 is:

LISTEN     0      128        *:8006                     *:*

@dmora nmap shows

Starting Nmap 7.40 ( https://nmap.org ) at 2017-01-05 10:29 Central Standard Time

Nmap scan report for 10.10.30.221

Host is up (0.00s latency).

PORT     STATE    SERVICE

8006/tcp filtered unknown



Nmap done: 1 IP address (1 host up) scanned in 9.41 seconds

So it does look like there is some kind of router that is causing me grief. Annoyingly the network is so complex and antiquated that neither I or the owner can remember what everything does or what device could possibly be blocking port 8006. I logged into what was, I thought, the main router (a mikrotik device) and set an exclusion for port 8006 that would go above any other routing rules. I just now got my laptop in today so I shall likely be heading over to the datacenter later this afternoon to try plugging directly in.

Is there any easy way to change the port that the web interface runs on? When this is eventually set up there will be a completely different network for public-facing stuff and an internal-only network for admin, so I wouldn't imagine it being a security risk to run the admin console on standard HTTP/S ports.

Thanks,
Jake

 

[100percentjake]

Now that I have a Windows 10 workstation I installed the Ubuntu subsystem and ran that ssh command in bash. Worked brilliantly and I'm now able to configure my cluster, which also appears to be working just fine.

 

[Denny]

I am glad to hear that. You probably want to chase down the ACL issue before taking this into production but all functions will work via the tunnel method.

 

[100percentjake]

Yeah the whole rack needs rewired. There are lots of switches and cruft that no longer need to be there and two in-production machines that need to be moved. I'm just glad I can finally access and test this cluster. Thanks for all the help!