Cross machine containers not visible

I have set up 2 CoreOS machines in Azure. both run the Rancher agent.
They are visible in the Rancher UI and I can deploy containers to it.

On one machine, I have deployed Ubuntu and linked it to a Http Service on the other machie.
The Ubuntu container can see the other machine, so the network seems correct so far.

$ ping cow1          <-- that is the other machine                                           
PING ( 56(84) bytes of da
64 bytes from icmp_seq=1 ttl=63 time=6.96 ms       

But it cannot see the http service, it fails with a message “No route to host”

$ ping httpservice    <-- that is the linked service on cow1

PING httpservice.rancher.internal ( 56(84) bytes of data.         
From icmp_seq=1 Destination Host Unreachable                         

The services runs with the default Rancher managed network (httpservice.rancher.internal ( )

This is probably not at all related to Rancher but rather my lack of Linux knowledge.
But any pointers would be welcome here.

I have also set up the exact same topology locally but running RancherOS, and with this configuration, the linked containers can see eachother without any issues.

Is there something that RancherOS does that CoreOS don’t do out of the box when it comes to networking?


Are UDP ports 500 and 4500 open so that the IP sec tunneling works?


It’s very likely Denise is correct. You can see if the IPsec tunnels are up or not by opening a shell to the Network Agent on each host and entering this command:

swanctl --list-sas

An established tunnel/SA looks something like this;

conn-remote_ip: #78, ESTABLISHED, IKEv2, a75bfed49d30557f:bfcb7f908683b271
  local  '' @
  remote '' @ remote_ip
  established 3919s ago, rekeying in 10412s
  child-remote_ip: #1, reqid 1234, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128
    installed 257976s ago
    in  c40bff09, 6824631634 bytes, 33586897 packets
    out c217eecc, 6111275912 bytes, 34117586 packets