I think this might be related to the puppet 5.5.6 update. I'm seeing the iptables rules not being properly applied. Under puppet 5.5.6 the iptables on the undercloud looks like: # Generated by iptables-save v1.4.21 on Tue Nov 13 00:53:34 2018 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1:68] :openstack-INPUT - [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "000 accept related established rules ipv4" -j ACCEPT -A INPUT -p icmp -m state --state NEW -m comment --comment "001 accept all icmp ipv4" -j ACCEPT -A INPUT -i lo -m state --state NEW -m comment --comment "002 accept all to lo interface ipv4" -j ACCEPT -A INPUT -p tcp -m multiport --dports 22 -m state --state NEW -m comment --comment "003 accept ssh ipv4" -j ACCEPT -A INPUT -s 198.72.124.180/32 -j ACCEPT -A INPUT -s 198.72.124.178/32 -j ACCEPT -A INPUT -j openstack-INPUT -A INPUT -m state --state NEW -m limit --limit 20/min --limit-burst 15 -m comment --comment "998 log all ipv4" -j LOG -A openstack-INPUT -i lo -j ACCEPT -A openstack-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A openstack-INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A openstack-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 19885 -j ACCEPT -A openstack-INPUT -s 172.24.4.0/23 -p udp -m udp --dport 69 -j ACCEPT -A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 6385 -j ACCEPT -A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 80 -j ACCEPT -A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 8000 -j ACCEPT -A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 8003 -j ACCEPT -A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 8004 -j ACCEPT -A openstack-INPUT -m limit --limit 2/min -j LOG --log-prefix "iptables dropped: " -A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Tue Nov 13 00:53:34 2018 But under 4.8.2, it's: Generated by iptables-save v1.4.21 on Mon Nov 12 19:27:19 2018 *nat :PREROUTING ACCEPT [2:64] :INPUT ACCEPT [2:64] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -d 169.254.169.254/32 -i br-ctlplane -p tcp -m multiport --dports 80 -m state --state NEW -m comment --comment "144 undercloud metadata nat ipv4" -j REDIRECT --to-ports 8775 COMMIT # Completed on Mon Nov 12 19:27:19 2018 # Generated by iptables-save v1.4.21 on Mon Nov 12 19:27:19 2018 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :openstack-INPUT - [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "000 accept related established rules ipv4" -j ACCEPT -A INPUT -p icmp -m state --state NEW -m comment --comment "001 accept all icmp ipv4" -j ACCEPT -A INPUT -i lo -m state --state NEW -m comment --comment "002 accept all to lo interface ipv4" -j ACCEPT -A INPUT -p tcp -m multiport --dports 22 -m state --state NEW -m comment --comment "003 accept ssh ipv4" -j ACCEPT -A INPUT -p tcp -m multiport --dports 873,3306,4444,4567,4568,9200 -m state --state NEW -m comment --comment "104 mysql galera ipv4" -j ACCEPT -A INPUT -p vrrp -m state --state NEW -m comment --comment "106 neutron_l3 vrrp ipv4" -j ACCEPT -A INPUT -p tcp -m multiport --dports 4369,5672,25672 -m state --state NEW -m comment --comment "109 rabbitmq ipv4" -j ACCEPT -A INPUT -p tcp -m multiport --dports 5000,13000,35357 -m state --state NEW -m comment --comment "111 keystone ipv4" -j ACCEPT -A INPUT -p tcp -m multiport --dports 9292,13292 -m state --state NEW -m comment --comment "112 glance_api ipv4" -j ACCEPT -A INPUT -p tcp -m multiport --dports 8774,13774,8775 -m state --state NEW -m comment --comment "113 nova_api ipv4" -j ACCEPT -A INPUT -p tcp -m multiport --dports 9000,8888,3000,13888 -m state --state NEW -m comment --comment "113 zaqar_api ipv4" -j ACCEPT -A INPUT -p tcp -m multiport --dports 9696,13696 -m state --state NEW -m comment --comment "114 neutron api ipv4" -j ACCEPT -A INPUT -p udp -m multiport --dports 67 -m state --state NEW -m comment --comment "115 neutron dhcp input ipv4" -j ACCEPT -A INPUT -p udp -m multiport --dports 4789 -m state --state NEW -m comment --comment "118 neutron vxlan networks ipv4" -j ACCEPT -A INPUT -s 192.168.24.0/24 -p tcp -m multiport --dports 11211 -m state --state NEW -m comment --comment "121 memcached ipv4" -j ACCEPT -A INPUT -p tcp -m multiport --dports 8080,13808 -m state --state NEW -m comment --comment "122 swift proxy ipv4" -j ACCEPT -A INPUT -p tcp -m multiport --dports 873,6000,6001,6002 -m state --state NEW -m comment --comment "123 swift storage ipv4" -j ACCEPT -A INPUT -p tcp -m multiport --dports 8004,13004 -m state --state NEW -m comment --comment "125 heat_api ipv4" -j ACCEPT -A INPUT -p tcp -m multiport --dports 8000,13800 -m state --state NEW -m comment --comment "125 heat_cfn ipv4" -j ACCEPT -A INPUT -p tcp -m multiport --dports 6385,13385 -m state --state NEW -m comment --comment "133 ironic api ipv4" -j ACCEPT -A INPUT -p tcp -m multiport --dports 8989,13989 -m state --state NEW -m comment --comment "133 mistral ipv4" -j ACCEPT -A INPUT -p udp -m multiport --dports 69 -m state --state NEW -m comment --comment "134 ironic conductor TFTP ipv4" -j ACCEPT -A INPUT -p tcp -m multiport --dports 8088 -m state --state NEW -m comment --comment "135 ironic conductor HTTP ipv4" -j ACCEPT -A INPUT -p gre -m comment --comment "136 neutron gre networks ipv4" -j ACCEPT -A INPUT -i br-ctlplane -p udp -m multiport --dports 67 -m state --state NEW -m comment --comment "137 ironic-inspector dhcp input ipv4" -j ACCEPT -A INPUT -p tcp -m multiport --dports 5050 -m state --state NEW -m comment --comment "137 ironic-inspector ipv4" -j ACCEPT -A INPUT -p tcp -m multiport --dports 8778,13778 -m state --state NEW -m comment --comment "138 nova_placement ipv4" -j ACCEPT -A INPUT -p tcp -m multiport --dports 8775,13775 -m state --state NEW -m comment --comment "139 nova_metadata ipv4" -j ACCEPT -A INPUT -p tcp -m multiport --dports 8787,13787 -m state --state NEW -m comment --comment "155 docker-registry ipv4" -j ACCEPT -A INPUT -s 158.69.71.101/32 -j ACCEPT -A INPUT -s 158.69.70.92/32 -j ACCEPT -A INPUT -j openstack-INPUT -A INPUT -m state --state NEW -m limit --limit 20/min --limit-burst 15 -m comment --comment "998 log all ipv4" -j LOG -A OUTPUT -p udp -m multiport --dports 68 -m state --state NEW -m comment --comment "116 neutron dhcp output ipv4" -j ACCEPT -A OUTPUT -p udp -m multiport --dports 68 -m state --state NEW -m comment --comment "137 ironic-inspector dhcp output ipv4" -j ACCEPT -A openstack-INPUT -i lo -j ACCEPT -A openstack-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A openstack-INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A openstack-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 19885 -j ACCEPT -A openstack-INPUT -s 172.24.4.0/23 -p udp -m udp --dport 69 -j ACCEPT -A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 6385 -j ACCEPT -A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 80 -j ACCEPT -A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 8000 -j ACCEPT -A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 8003 -j ACCEPT -A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 8004 -j ACCEPT -A openstack-INPUT -m limit --limit 2/min -j LOG --log-prefix "iptables dropped: " -A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Mon Nov 12 19:27:19 2018