vSphere Availability

 View Only
Expand all | Collapse all

could not reach isolation address

Ken_Mc

Ken_McSep 01, 2011 03:52 PM

  • 1.  could not reach isolation address

    Posted Sep 01, 2011 03:38 PM

    So, I just upgraded my vCentre server to 5 and now all my 4.1 ESX servers are responding with:

    vSphere HA agent on this host could not reach isolation address: 192.168.0.1

    Any idea why this message occurs now, and not before the upgrade?  How do I turn off this message?



  • 2.  RE: could not reach isolation address

    Posted Sep 01, 2011 03:50 PM

    Just a quick question. Is this the correct isolation address (usually the management network's gateway address)?

    André



  • 3.  RE: could not reach isolation address

    Posted Sep 01, 2011 03:52 PM

    Yes.



  • 4.  RE: could not reach isolation address

    Posted Sep 01, 2011 04:25 PM

    Are you able to ping this address from the ESXi hosts?

    André



  • 5.  RE: could not reach isolation address

    Posted Sep 01, 2011 04:39 PM

    I think so.  It's our main firewall supporting 1000 users.  I can ping from all VM's, but I havn't tried from the host.  Why would that change with the upgrade, did the firewall settings change?



  • 6.  RE: could not reach isolation address

    Posted Sep 05, 2011 02:16 PM

    Have you tried 'reconfiguring for HA' on the hosts? It maybe that the HA agent is playing up for some reason following the upgrade. Can you confirm whether you can ping the gateway address from one/all of your hosts.

    Regards.



  • 7.  RE: could not reach isolation address

    Posted Sep 06, 2011 03:01 PM

    Yes, I've tried the reconfiguration.  Yes, I can ping from all the hosts.

    I've since opened a ticket with VMware, and so far they have been unable to resolve my issue.



  • 8.  RE: could not reach isolation address

    Posted Sep 06, 2011 03:25 PM

    And there are no host config issues complaining of lack of access to other hosts' IP addresses?  How many hosts in the cluster?  Any other hosts have the same issue?

    Each HA agent (fdm) slave performs periodic pings of each other HA agent slave every 5 minutes by default.  It also pings the default gateway for the management interfaces every 5 minutes.  Those pings are initiated through the physical adapter associated with the management vSwitch, so it is possible there is no route between the management vSwitch's adapter and the default gateway, even though you can initiate a successful ICMP ping from the host itself, since it may be using a different vSwitch's physical adapter which does have a route to the default gateway.  Please take a look at that first by examining the host's configuration Networking.

    If that fails to yeild an answer, can you check the file /var/run/log/fdm.log (or one of its gzipped backups if you reconfigured a while ago) or your host's syslog if redirected to see if there are any errors such as "Failed to create ipv[4|6] socket", or see if there are any other errors or warnings.  search for "ClusterPing" in these log files.  Turning on "trivia" level logging may be better for diagnosing this.  to do that, set the HA cluster advanced option das.config.log.level to trivia.  The reconfigure HA on that host, wait for the config issue, then examine the FDM log on that host.

    Let us know if this is of help.



  • 9.  RE: could not reach isolation address

    Posted Sep 06, 2011 03:48 PM

    I have 2 hosts in one cluster and 3 hosts in another cluster.  All hosts are complaining - "could not reach...".  This only happened after the upgrade of vCentre server.  I have since upgraded all the hosts from 4.1 to 5.0 and no change.



  • 10.  RE: could not reach isolation address

    Posted Sep 06, 2011 03:32 PM

    Can you supply us with the SR number so we (in engineering) can monitor and take a look at the logs?



  • 11.  RE: could not reach isolation address

    Posted Sep 06, 2011 03:42 PM

    Well I only have one subnet, no routing on my network.  Our firewall is getting spammed by all the hosts actually - reported to be one ping per second per host.

    I've just turned on that logging option and sent you my SR number.



  • 12.  RE: could not reach isolation address

    Posted Sep 06, 2011 03:50 PM

    Once a host cannot ping its isolation address, the frequency of pings rises to every second for 5 seconds until the address becomes pingable again.  This is to remove the configuration issue as quickly after recovery as possible.



  • 13.  RE: could not reach isolation address

    Posted Dec 12, 2011 07:39 PM

    Hi,

         All of our hosts are receiving the same error after having been updated to vSphere 5.  Our vMotion is on a separate VLAN/subnet since staying on the same subnet as the Maintenance Network defeats the network vmnic assignments for Virtual Standard Switches (thanks, VMware), and forces VMotions over the Management Network no matter how you've configured it.  That being the case, is there a workaround for this problem?  As it stands now, I am unable to ping the gateway for the VMotion network from any of our upgraded hosts, and not for any network related issue.

         Thanks,

              NYSteve



  • 14.  RE: could not reach isolation address

    Posted Jul 03, 2012 08:29 AM

    I have the exact same issue. Did you find a way to make it work ?



  • 15.  RE: could not reach isolation address

    Posted Jul 03, 2012 08:43 AM

    Slymsoft wrote:

    I have the exact same issue. Did you find a way to make it work ?

    Could you describe your setup? If possible, a screenshot of the networking view on a host reporting this.



  • 16.  RE: could not reach isolation address

    Posted Jul 03, 2012 09:14 AM

    I found the issue : it looks like vSphere HA is pinging using the maximum size of packet (1472 for MTU 1500) and this was blocked on our network equipment. Plus, there was a rule on the maximum number of ping allowed in a time frame.

    I hope it helps.



  • 17.  RE: could not reach isolation address

    Posted Jul 03, 2012 09:20 AM

    Slymsoft wrote:

    I found the issue : it looks like vSphere HA is pinging using the maximum size of packet (1472 for MTU 1500) and this was blocked on our network equipment.

    How could default packet sizes be blocked? Sounds like a difficult setup to maintain. Nice to hear that the problem was solved anyway!



  • 18.  RE: could not reach isolation address

    Posted Jul 03, 2012 11:33 AM

    only ICMP requests with maximum size were blocked.



  • 19.  RE: could not reach isolation address

    Posted Jul 03, 2012 02:33 PM

    I had fixed this last year by chaning the IP to something that can be pinged.  That was the solution tech support gave me at the time, although I don't know if anythings changed.



  • 20.  RE: could not reach isolation address

    Posted May 27, 2013 04:36 PM

    My Solution

    In my case my default gateway is my firewall which has ping disabled by default. I created a firewall rule that allowed the ip adresses of my hosts to ping the firewall. Instant success.