VMware Cloud Community
julienvs
Contributor
Contributor
‎08-30-2011 01:11 AM

ESXi with no internet connection

Hi All,

I'm new to ESXi.

I installed version 4.1 with a Cent OS to test the installation.

Our Watchguard (20.0.20.1) serves as a DHCP server and is connected to the ESXi.

VMK0 had 20.0.20.20 and I can connect van the vSphere client, I see and I can manage my Virtual machines.

My virtual machines connect to the network in dhcp and obtain IP adresses (cent os: 20.0.20.201, router 20.0.20.1 and dns 8.8.8.8).

Our problem is that none of our virtual machines has access to the internet.

Other physical servers connected to the firewall do have access and all policies are set to allow ougoing traffic.

The other weird thins is that we have access to the virtual machines from the outside.

Is there anyone knowing in what direction I should look?

Kind regards,

Julien

Reply
0 Kudos
16 Replies
iw123
Commander
Commander
‎08-30-2011 02:13 AM

This sounds as though its an issue with firewall configuration. I'd start by checking the rules.

*Please, don't forget the awarding points for "helpful" and/or "correct" answers
Reply
0 Kudos
a_p_
Leadership
Leadership
‎08-30-2011 02:54 AM

Welcome to the Community,

for troubleshooting try to ping the gateway (your router first). If this is successful, try to ping the DNS server. If this also works then you need to check the firewall rules again.

Do you use a proxy for Internet access?

Are you able to resolve Internet URLs?

André

Reply
0 Kudos
julienvs
Contributor
Contributor
‎08-30-2011 04:33 AM

Hi iw123,

Thanks for your reply.

That's what I thought and still think off, but what kind of problem?

The policies seem fine, could it be some compatibility issue with our firewall (Watchguard) like giving more than one IP to a NIC?

Thanks again,

Julien

Reply
0 Kudos
julienvs
Contributor
Contributor
‎08-30-2011 04:38 AM

Hi André,

Yes, I can ping the gateway and other devices on the behind the firewall, even the ones on another subnet.

No, I can't ping 8.8.8.8. (the DNS server)

No, I can't resolve internet URLs.

We have a proxy for another interface, which shouldn't interfere with with the esxi.

I think I saw other threads with the same issue but I couldn't link it to our installation.

Thanks again!

Julien

Reply
0 Kudos
a_p_
Leadership
Leadership
‎08-30-2011 04:52 AM

Julien,

since you are able to ping other machines even in other subnets, the network configuration on the ESXi host should be fine. You may now need to find out whether it is a firewall or a routing issue. Maybe traceroute can help to find out what happens to the package for the 8.8.8.8 address.

André

Reply
julienvs
Contributor
Contributor
‎08-30-2011 04:57 AM

Thanks André,

I really appreciate.

I'll dig deeper there and hope to come back here with the solution.

Have a nice day,

Julien

Reply
0 Kudos
julienvs
Contributor
Contributor
‎08-30-2011 06:12 AM

I've attached my output when I perform a traceroute.

Does that mean it's stuck at the firewall?

Julien

Preview file
132 KB
Reply
0 Kudos
a_p_
Leadership
Leadership
‎08-30-2011 06:30 AM

Sorry, I can't tell you for sure what causes the issue. How does the output for this command look like on a physical system?

André

Reply
0 Kudos
julienvs
Contributor
Contributor
‎08-30-2011 06:36 AM

It looks like this:

esxi2.jpg

Reply
0 Kudos
iw123
Commander
Commander
‎08-30-2011 06:48 AM

it doesnt look like you are resolving URLs. Is dns set correctly on your VMs? whats in your resolv.conf file?

can you do an nslookup against 8.8.8.8 ?

*Please, don't forget the awarding points for "helpful" and/or "correct" answers
Reply
0 Kudos
julienvs
Contributor
Contributor
‎08-30-2011 07:01 AM

My resolv.conf file says:

# Generated by NetworkManager

nameserver 8.8.8.8

On the DNS and Routing panel I set:

Name: esxi

Domain: yaska.eu

Method: Static

Preferred DNS Server: 8.8.8.8

Default Gateways:

VMKernel: 20.0.20.1

What is this VMKernel? 20.0.20.1 is also the IP of the firewall.

nslookup 8.8.8.8

;; connection timed out; no servers could be reached

Reply
0 Kudos
iw123
Commander
Commander
‎08-30-2011 08:05 AM

Are you allowing DNS queries out through your firewall?

do you have an internal dns server for local name resolution (i.e. internal hosts? )

*Please, don't forget the awarding points for "helpful" and/or "correct" answers
Reply
0 Kudos
julienvs
Contributor
Contributor
‎08-30-2011 09:12 AM

Hmmm ... yes I am.

My policies should be alright, I spend a little while cleaning them but I keep seeing these lines in the logs:

2011-08-30 16:14:10 Deny 20.0.20.201 8.8.8.8 icmp   4-Esx Nespresso 0-External Denied 84 63 (Unhandled Internal Packet-00)  proc_id="firewall" rc="101"      Traffic

Ping requests get denied ... all other outgoing traffic gets denied ...

I also believe the problem lies on the firewall now, but it'll be tough to figure out how to solve it.

Thanks to you both!

Julien

Reply
0 Kudos
DSTAVERT
Immortal
Immortal
‎08-30-2011 09:19 AM

If the addresses you listed actually belong to your organization you should mask them for security. If they are not IP blocks assigned to your organization then you should consider changing the blocks to RFC reserved blocks. Using Internet routable address space on an internal networks may have un intended concequences.

     10.0.0.0        -   10.255.255.255  (10/8 prefix)
     172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
     192.168.0.0     -   192.168.255.255 (192.168/16 prefix)
-- David -- VMware Communities Moderator
Reply
0 Kudos
julienvs
Contributor
Contributor
‎08-30-2011 10:46 AM

Thans DSTAVERT,

I'll have a close look to that.

For the rest, the firewall keeps throwing unhandled exceptions.

Is there something I should do about VLAN's? I didn't set up any so far.

Regards,

Julien

Reply
0 Kudos
julienvs
Contributor
Contributor
‎08-30-2011 11:14 PM

Hi all,

My problem got solved.

It was as you expected on the firewall ... a missing Dynamic NAT.

Thank you very much for helping me finding the problem!

Julien

Reply
0 Kudos