Question

Problems with remote connection to my mongodb server

Posted July 7, 2017 36.7k views
MongoDBUbuntu 16.04

I’m having problems connecting to my newly created mongodb replicas set. I created 3 new One-Click severs in the NYC3 data center using the Private Networking option. Getting the replica set running was fairly simple and internally things seems to be working correctly on each server. The problem is that I don’t seem to be able to connect to mongo from any servers outside the set. I can run mongo xx.xx.xx.xx:27017 -u -p and connect to each server from each other server in the data center, but the same command is not working from my dev machine or my servers in other data centers. What am I doing wrong?

This is my configuration.

Cloudflare:
A record pointing XXXX.domain.com to each server IP

/etc/mongod.conf

# mongod.conf

# for documentation of all options, see:
#   http://docs.mongodb.org/manual/reference/configuration-options/

# Where and how to store data.
storage:
  dbPath: /var/lib/mongodb
  journal:
    enabled: true
#  engine:
#  mmapv1:
#  wiredTiger:

# where to write logging data.
systemLog:
  destination: file
  logAppend: true
  path: /var/log/mongodb/mongod.log

# network interfaces
net:
  port: 27017
  bindIp: 127.0.0.1,159.203.68.XX

processManagement:
  fork: true

security:
  authorization: enabled

#operationProfiling:

replication:
  replSetName: volatize0

#sharding:

## Enterprise-Only Options:

#auditLog:

#snmp:

Firewall setup commands

sudo apt-get install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow from ip_of_server/32 to any port 27017
sudo ufw allow from ip_of_dev_system/32 to any port 27017
sudo ufw enable

/etc/hosts

127.0.1.1           mongo-01
127.0.0.1           localhost mongo-01
XX.XX.XX.XX       mongo-01.domain.com
XX.XX.XX.XX      mongo-02.domain.com
XX.XX.XX.XX     mongo-03.domain.com

netstat -anp

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 159.203.68.XX:27017     0.0.0.0:*               LISTEN      1804/mongod     
tcp        0      0 127.0.0.1:27017         0.0.0.0:*               LISTEN      1804/mongod     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1576/sshd       
tcp        0      0 159.203.68.XX:27017     159.203.113.100:41370   ESTABLISHED 1804/mongod     
tcp        0      0 159.203.68.XX:45276     159.203.113.100:27017   ESTABLISHED 1804/mongod     
tcp        0      0 159.203.68.XX:45280     159.203.113.100:27017   ESTABLISHED 1804/mongod     
tcp        0      0 159.203.68.XX:59872     159.203.103.186:27017   ESTABLISHED 1804/mongod     
tcp        0    296 159.203.68.XX:22        170.20.11.13:28087      ESTABLISHED 1721/0          
tcp        0      0 159.203.68.XX:45278     159.203.113.100:27017   ESTABLISHED 1804/mongod     
tcp        0      0 159.203.68.XX:27017     159.203.103.186:41502   ESTABLISHED 1804/mongod     
tcp6       0      0 :::22                   :::*                    LISTEN      1576/sshd
Add a comment
chadspecter
By:
chadspecter
edited by asb
Add a comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
3 answers
chadspecter July 7, 2017

I am just using DNS passthrough in Cloudflare. I have not even attempted to enable the private networking addresses yet as I just wanted to get it working over the open IPs first.

Here is the output of sudo lsof -iTCP -sTCP:LISTEN -P

COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
sshd    1576 root    3u  IPv4  14187      0t0  TCP *:22 (LISTEN)
sshd    1576 root    4u  IPv6  14189      0t0  TCP *:22 (LISTEN)
mongod  1804 root    7u  IPv4  16752      0t0  TCP localhost:27017 (LISTEN)
mongod  1804 root    9u  IPv4  16754      0t0  TCP mongo-01.domain.name:27017 (LISTEN)
Reply Report
  • hansen July 7, 2017

    @chadspecter Try checking your firewall log to see if your dev-IP shows up.
    /var/log/ufw.log

    Reply Report
    • chadspecter July 7, 2017

      I don’t see any of my allowed IPs in the ufw.log. Only a bunch of [UFW BLOCK] entries. Here is the output from sudo ufw status. The IP there is my dev ip.

      Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere                  
80                         ALLOW       Anywhere                  
443                        ALLOW       Anywhere           
27017                      ALLOW       170.20.11.13              
OpenSSH                    ALLOW       Anywhere                  
22 (v6)                    ALLOW       Anywhere (v6)             
80 (v6)                    ALLOW       Anywhere (v6)             
443 (v6)                   ALLOW       Anywhere (v6)             
OpenSSH (v6)               ALLOW       Anywhere (v6)

      Everything seems kosher with the firewall, but I still can’t connect. I can connect to other servers on port 27017 with my dev box, so it’s not the firewall on that end. It has to be server config somewhere. I also set the droplet to use IPv6. Could that be causing any problems?

      Reply Report
      • hansen July 7, 2017

        @chadspecter
        If your ISP is preferring IPv6, then yes, that could be a problem, since you’re not allowing that traffic. And is 170.20.11.13 your dev-IP?
        Check your configuration on the other servers - does it match this one?

        Reply Report
hansen July 7, 2017

Hi @chadspecter

If you’re the “Private Networking” function, meaning the IPs starting with 10.x.x.x, then they are only accessible inside the data center.
You should be using those IPs to connect the different databases together, since it will be much faster than using the public IP.

Are you using the CloudFlare protection on those A-records or just the DNS with passthru? You should use the passthru, so nothing gets mumbled by CloudFlare.

Can you run this command to list the services listening:

sudo lsof -iTCP -sTCP:LISTEN -P
Reply Report
chadspecter July 8, 2017

OK. So it was the IPv6 thing. I rebuilt the replica set as IPv4 and everything works fine. I guess the ISP my office uses has not upgraded yet. Tried the IPv6 system at home (Verizon Fios) and it worked. Thanks for the help!

Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help