VMware vSphere

Hello,

In order to isolate my production servers from my DMZ servers, I installed ESXi on a computer. That installation is customized with the network drivers and SATA drivers of the server. The DMZ VMs were moved from the production servers using the export method.

Now from the ESXi host:

* I can access the web completely, wget retrieves pages, etc...

From virtual machines on the ESXi host:

* I can ping the local network

* I can ping google, microsoft, vmware, ...

* I can access shares, web, whatever from any machine on the vSwitch to any machine on the vSwitch

But I cannot browse to google, samba to local network shares, ftp, telnet ... If I reload the VMs before export on the production server they work fine.

I tried:

* clean install of a VM, no luck

* modifying the network adapter settings, no luck

* using only one NIC, no luck

* using only one NIC on a separate vSwitch, no luck

Any idea why I would be able to ping whatever I want, but unable to access anything else ?

Regards,

Hi,

have you check your Gatway, DNS setting?

Frank

Before answering, weird question, not to insult or anything.

How could I ping let's say: www.google.com and not browse it ? I mean, ping or IE or explorer do use the same DNS / GateWay settings no ? Or do you mean like another DNS / GateWay config other than the VMs' ?

And the DNS / Gateway settings are good, I checked. Though PING and NSLOOKUP work. PING pings the net and NSLOOKUP actually queries my internal DNS.

They are given via DHCP. At the moment, I have the DMZ network configured on both the production farm and the DMZ host. The settings work fine on the production farm. So I'd guess they work fine on the DMZ server.

Regards,

PS: I modified the initial message to indicate that inside the vSwitch, VMs can talk to each other through nfs, web, etc...

Oh, and if it helps, I tried browsing google through an IP directly. No luck either.

And when I mean I can ping, I mean the VM's on the DMZ host can ping the production LAN, and vice versa.

ORagain wrote:

Before answering, weird question, not to insult or anything.

How could I ping let's say: www.google.com and not browse it ? I mean, ping or IE or explorer do use the same DNS / GateWay settings no ? Or do you mean like another DNS / GateWay config other than the VMs' ?

browsing works if port 80 is opened. Check firewall please.

Ok, now I know I am unclear.

The virtual machine, situated on the ESXi host in the DMZ is not able to open in its browser google but is able to ping it. This is the flow of traffic as it should be: (at least from my point of view)

VM -> ESXi -> Network Fabric (DMZ vlan) -> Company Firewall -> Internet -> Google

Now, regarding the company firewall, by default anybody in the network be it on the LAN or in the DMZ is able to access the internet and browse google. However the VM is unable to browse but is able to ping and further more, it is able to use the internal DNS to resolve, it is also able to use DHCP. So all around, at the moment the following protocols are able to get out of the VM to anywhere:

* ICMP, DNS, DHCP

but the following protocols are not able to get out of the VM to anywhere:

* FTP, HTTP

And just in case, I opened the VM's firewall. Nothing changed. It would not explain why the same VM on different farms is able to work completely in one case, and only partially in the other case.

Regards,

Hi,

that looks like the needed ports are blocked by the firewall.

Something like, ip adress 192.168.1.2 is able to and 192 168.1.3 not. Check at your firewall (not vm firewall, dmz firewall or internet firewall, proxy etc.) if you have to give a special access to the ip adress of your vm so that the vm is able to browse.

Frank

Ok, since the site is down, at least on my side, let’s try answering via email. (darn, did not work)

Nope, did not try telnet, and yes am kinda getting frustrated :smileyhappy: I am sure the solution will be something totally stupid in the end and I’ll just end up bashing my head ‘gainst a wall. As for the telnet tests, the results are:

• Impossible to telnet to port 80 on google or even the intranet
  
• Impossible to telnet even to the switch fabric
  

So, telnet is added to the list of things not working.

As for a firewall issue, the flows, at least to the intranet do not go through any firewall and I have no ACLs on my core routers. And I checked to see if I had any specific IP configured in rules on the firewall, it is not the case. So why would the same IP range work when used on the production farm, but not on the DMZ host ?

Also,I am able to upload ISO files to the host datastore and uploading a Linux ISO atm. Will be able to make more tests that way. And also, since I am still in the testing phase, I have no network rules or firewall between my DMZ and the LAN.

Am gonna run one last test (am exporting the VM from the DMZ host back to the prod farm) and see if the VM works fine that way.

Regards,

Okay, so additionnal information:

* VM Windows 2008 R2: works on the production farm after being moved from the DMZ host. Still not working on the DMZ host though.

* VM CentOS 64 bits: works on DMZ host

* VM Windows 2003: a bit less worse than 2008 but network connection is completely unstable and thus unusable.

And now I am out of ideas to test :smileyhappy: And I tried VMs with and without the VMWare tools, I also tried e1000 / vmnic3 for network adapters.

If this rings any bell for anyone, I'll take the solution in a heartbeat.

Regards,

Ok, so found a solution. It seems that on ESXi 4.1, Tcp Offload Engine bugs on windows servers.

For more information:

* http://www.barkingseal.com/2010/07/slow-network-performance-for-windows-2008-on-vmware-esxi/

which links to:

* http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006619

Though, it is ESXi 4.1, it seems this problem still applies. At least the solution works perfectly. Now I just need to redo all my templates for the ESXi host with the TOE disabled.

I'll just add one comment to the first article:

* on 2008 there is like zero network, while on 2003 the network is on and off, at least on my setup

Thanks for the time helping and in the case where someone wants some more specs, I can provide them.

Regards,

Interesting and yet dissapointing.

Thanks for sharing! :smileyhappy:

Just for curiosity's sake, what do you mean by dissapointed ? You where thinking of something slickier ?

Because that's a big issue to consider when virtualizing W2K8 in VMware.

I wasn't aware of this.:smileyplain:

For additional information, I am using a customized ESXi4 because I had to load a different network card driver (it is a Realtek 8111 if i am not mistaken). So this problem might happen only on customized rigs. I've had no problem on standard servers from HP or Dell for the moment. But unfortunately I cannot test those hypothesis since I am in a small company.

And the problem appears on 2003 and 2008, it is just more prononced on 2008.(no network except DHCP / DNS / ICMP, which I guess do not use TOE, really need to check out this point)

Regards,

Zup ORagain?

Not to sound annoying or anything because perhaps you've tried it already but still:

TELNET 80?