AndroidFiguren
Contributor
Contributor

Strange behavior with ESXi root Server at Hetzner.de

Hi Friends,

I have a very strange issue with an ESXi in my LAN and an ESXi as a root-Server at my provider hetzner.de

2 ESXi Hosts vmWare 5.5

1 in local LAN

1 at hetzner.de root-Server

1x vSphere Server Appliance 5.5

Cisco ASA Firewall

Own public IP for ASA and ESXi

This is the problem I have.

- When I directly connect with vSphere-Client to the ESXi host at my provider I can do all I want to do. There are no disconnects and all is fine.

- I added the host to my vSphere Appliance and my cluster. Here I get all 30 up to 60 seconds a disconnect with this Server. After I reconnect the host the host is once again connected for about 30 up to 60 seconds.

-> I removed it from my cluster

-> On my ASA configuration the complete IP-Protocoll is allowed from the host to my vSphere Appliance and backwards. I don´t see any drops

-> Provider says that on his side there is no firewall

Does anybody have any idea? I need to have the ESXi in my Cluster for all further projects so this is very important for us.

Thank you very much

Markus

15 Replies
a_p_
Leadership
Leadership

Only a guess. Does DNS resolution work, i.e. is the host able to resolve the vCenter Server's FQDN and vice versa?

André

0 Kudos
AndroidFiguren
Contributor
Contributor

From the LAN I get all correct, nslookup on name and IP. The names are not in a public DNS listet, but the ExtEsx has only the local DNS in it´s configuration.

regards

Markus

0 Kudos
Linjo
Leadership
Leadership

Are TCP 902/903 open in both directions? This will happen if its only open in one direction...

// Linjo

Best regards, Linjo Please follow me on twitter: @viewgeek If you find this information useful, please award points for "correct" or "helpful".
0 Kudos
AndroidFiguren
Contributor
Contributor

take a look this is the rule on the inside interface

inside.PNG

and this is the outside interface

outside.PNG

There is the complete TCP IP Stack open. Also I don´t see any drops at the firewall log.

Markus

0 Kudos
Linjo
Leadership
Leadership

And from the other direction?

Best regards, Linjo Please follow me on twitter: @viewgeek If you find this information useful, please award points for "correct" or "helpful".
0 Kudos
AndroidFiguren
Contributor
Contributor

They´re (hetzner.de) telling me that there is no firewall. Bad thing ... the thing is why is it working that fine if it isn´t connected to the vSphere Server?

Markus

0 Kudos
Vaiper
Enthusiast
Enthusiast

Hi,

do you use NAT for the Connection between the vCenter and the ESXi?

R/Sven

don't forget: if answers are helpful, please award points
0 Kudos
AndroidFiguren
Contributor
Contributor

Yes we do. Our local enviroment is natted with our public IP-Adress. Can this be the point, if yes what must be done?

Markus

0 Kudos
Vaiper
Enthusiast
Enthusiast

Hi,

yes of course, thats your Problem!

Take a look: http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=1010652&sl...

I had the same problem and this kb help me to solve my problems

But you didn't forget the firewall rules for the vcenter and the esxi server.

R/Sven

don't forget: if answers are helpful, please award points
0 Kudos
AndroidFiguren
Contributor
Contributor

Hi Sven,

like you see it in my earlier post I opened the complete IP-Stack for communicatig from the ESXi to my local enviroment and backwards.

Just for understanding ... I have to modify the vpxa.cfg file from my ESXi - Host at Hetzner.de?

And at ExtESXi I have to add the NAT-IP-Adress from my local vSphere-Server means the

<serverIp>NAT_IP_address</serverIP>


regards


Markus

0 Kudos
Vaiper
Enthusiast
Enthusiast

Yep there you must insert the external IP from your vcenter and you must add a NAT Rule in your Firewall for the following Ports:

902
903
443

5989

So that the ESXi can Communicate with your vcenter through the FW...

As example my FW Rule in pFsense: https://www.evernote.com/shard/s50/sh/185c53c8-df3a-4593-9ea1-b87c1affb1c6/f577d8e2ae36eb2ff223e3e9f...

And here my NAT Rule: https://www.evernote.com/shard/s50/sh/90195880-4ddf-4ad5-81b2-28ce1e60f6da/a87b8ef321ca138df39de4b6c...

don't forget: if answers are helpful, please award points
0 Kudos
AndroidFiguren
Contributor
Contributor

Hi Vaiper,

thank you very much. The link to  VMware KB: Using NAT between the vCenter Server system and ESXi/ESX hosts

and editing vpxa.cfg with the public IP from my enviroment helped. Also I had an issue with wrong natting from my internal enoviroment.

Now the only and last question is how I can harden my ESXi in the WAN. Are there any KBs what services must run and how I can harden the system perfectly?

Thank you all for your answers and your very fast help!

Markus

Vaiper
Enthusiast
Enthusiast

Hey,

no Problem Smiley Wink

Here is the hardening guide for VMware: http://www.vmware.com/security/hardening-guides.html

Best regards

Sven

don't forget: if answers are helpful, please award points
0 Kudos
Vaiper
Enthusiast
Enthusiast

Any news?

When all questions are be answered please set the Thread to answered.

Best regards

Sven

don't forget: if answers are helpful, please award points
0 Kudos
AndroidFiguren
Contributor
Contributor

Hi Sven,

sorry for coming back that late. Had an issue that I kicked me out with my firewall configuration. Am I right that normally it´s enough to edit all the incoming ports to the external NAT Ip from my network?

I edited this incoming services to my NAT-IP

Capture.PNG

Don´t do this for the DCHP-Client Smiley Wink  I think there are running the services lbtd, vpxa, Direct Console UI, CIM-Server and for all the rest if nothing is listening on the ports nothing can answer.

Do you all also think that´s enough for a ESXi-Server directly hosted at a service provider? Or what else do you would do to harden the server?

regards

Markus

0 Kudos