This is something that catches me out every time I build a CloudStack instance (you would think I would know better by now.)
You build your cloud and import some ISOs directly from vendor web sites then you remember Oracle Linux is only available via authenticated link. So you drop the ISO onto an internal web server and point the import to that. Bam, your template get connection refused and wont download.
The key here is that CloudStack treats internal and external (as in Private and public IPs differently) you need to set the secstorage.allowed.internal.sites value to include details of the private IPs you need to be able to import ISOs and templates from.
To update this setting login to your CloudStack instance as a root admin level user and navigate to Home > Global Settings and search for secstorage.allowed.internal.sites
This option has the following description:
Comma separated list of cidrs internal to the datacenter that can host template download servers, please note 0.0.0.0 is not a valid site
Unfortunately as with most settings in Global Settings you will need to restart your management service on all management nodes.
WillowSphere 
Leave a comment