10 Replies Latest reply on Feb 2, 2015 12:28 PM by a.p.

    HA Pinging Gateway constantly

    MJMSRI Novice

      Hi All,

       

      I have configured a HA cluster with 2 esxi hosts in vcentre 5.

       

      I enabled just HA On the cluster and all was fine.

       

      However, since enabling, our network has been slow and our watchguard firewall has been denying pings constantly from both hosts!!

       

      So both hosts are constantly trying to ping the default gateway on our network, but Ping is disabled so its been getting denied.

       

      I turned off HA on the cluster  and pinging stopped and network was  fast again!!

       

      Any ideas why HA is doing this?

       

      is it related to the Heartbeat feature?

       

      Cheers

        • 1. Re: HA Pinging Gateway constantly
          a.p. Guru
          Community WarriorsUser ModeratorsvExpert

          The default gateway's IP address is used as the isolation address by HA. Did you deny ICMP only for the default gateway of did you deny it at all? If it is just denied for the default gateway you may configure another reliable isoalation address which can be used by HA.

          Please see the explainations for das.isolationaddress[x] as well as das.usedefaultisolationaddress at e.g. http://www.yellow-bricks.com/vmware-high-availability-deepdiv/

           

          André

          1 person found this helpful
          • 2. Re: HA Pinging Gateway constantly
            depping Champion
            VMware EmployeesUser Moderators

            It a built in check indeed that HA does to validate the default gateway is still reachable. It is just regular ping and it surprises me it would impact the performance of your environment.

            • 3. Re: HA Pinging Gateway constantly
              MJMSRI Novice

              well ping is disabled on my watchguard firewall.

               

              So if ping is disabled and ping requests from ESXI hosts are denied, does that mean HA Will fail?

              • 4. Re: HA Pinging Gateway constantly
                a.p. Guru
                User ModeratorsvExpertCommunity Warriors
                ... does that mean HA Will fail?

                Even worse. If the hosts don't receive heartbeats from each other anymore and are not able to reach (ping) the isolation address, HA will be triggered and - depending on the HA settings - your VM's on the isolated host might be shut down/powered off and restarted on other hosts..

                 

                André

                • 5. Re: HA Pinging Gateway constantly
                  depping Champion
                  User ModeratorsVMware Employees

                  if it is you should do the following:

                  configure "das.usedefaultisolationaddress" to "false"

                  and configure a "das.isolationaddress0" to a pingable address. This address is what HA uses to validate if the host is isolated from the rest of the network or not, it is a lifeline.

                   

                  You can find a lot of details in my deepdive post: http://www.yellow-bricks.com/vmware-high-availability-deepdiv/

                  • 6. Re: HA Pinging Gateway constantly
                    Josh26 Master

                    MJMSRI wrote:

                     

                    well ping is disabled on my watchguard firewall.

                     

                    So if ping is disabled and ping requests from ESXI hosts are denied, does that mean HA Will fail?

                    From inside the network?

                     

                    VMware aside, all this is likely to achieve is more difficult troubleshooting.

                    • 7. Re: HA Pinging Gateway constantly
                      rickardnobel Virtuoso

                      MJMSRI wrote:

                       

                      However, since enabling, our network has been slow and our watchguard firewall has been denying pings constantly from both hosts!!

                       

                      Are you really sure the network become "slow" from this? It seems incredible strange that a modern network will not be able to handle some ICMP Echos when it should be able to manage traffic throughput hundreds times more.

                       

                      Do you have a security reason to not allow ping from inside the management network on your router/firewall? I belive the most non-complicated solution is to change the firewall rules in this situation.

                      • 8. Re: HA Pinging Gateway constantly
                        Enthusiast

                        Ordinarily, each host in an HA cluster pings each of the isolation addresses once per hour.  If the ping fails, an HA confuguration issue is reported to the UI, and a more aggressive ping is initiated by each host, pinging once every 5 seconds.  The reason for the more aggressive ping is to more quickly resolve the configuration issue once the isolation address(es) once again becomes pingable.

                         

                        There should be no "flood" of ICMP messages, and it should have little impact on network performance.  The ICMP packet is 53 bytes long and sent once every 5 seconds from each of the HA hosts until the address(es) become pingable once again, at which point it returns to pinging once per hour.

                         

                        If your default gateway is never pingable because of your firewall, you should open up the ports needed by HA, or disable the isolation address monitoring using advanced options (das.useDefaultIsolationAddress = false).  But doing this means that you will have no protection against a network isolation condition.

                        • 9. Re: HA Pinging Gateway constantly
                          Basavaraj R Navalgund Enthusiast

                          Hi MJMSRI, Wow, Depping replied to your answer. No one can deny. Regards Raj

                          • 10. Re: HA Pinging Gateway constantly
                            a.p. Guru
                            vExpertCommunity WarriorsUser Moderators

                            @