I've figured this out, but to help those out there who don't want to waste an hour like me debugging a hung "nodetool ring" command: JMX opens a second random port, so you either have to disable any firewalls between the machine running nodetool and the cassandra instance (or there are complicated workaround that I didn't try, overriding some class and a new non-RMI based version of JMX that is sun/oracle only).
I'm in EC2, and I'm using security groups + iptables for 2x firewall redundancy. Now some of my instances are using just security groups. It's a bummer, but not terrible. For anyone who can't just open the firewall, I sympathize! will
