I have a very strange issue with an ESXi in my LAN and an ESXi as a root-Server at my provider hetzner.de
2 ESXi Hosts vmWare 5.5
1 in local LAN
1 at hetzner.de root-Server
1x vSphere Server Appliance 5.5
Cisco ASA Firewall
Own public IP for ASA and ESXi
This is the problem I have.
- When I directly connect with vSphere-Client to the ESXi host at my provider I can do all I want to do. There are no disconnects and all is fine.
- I added the host to my vSphere Appliance and my cluster. Here I get all 30 up to 60 seconds a disconnect with this Server. After I reconnect the host the host is once again connected for about 30 up to 60 seconds.
-> I removed it from my cluster
-> On my ASA configuration the complete IP-Protocoll is allowed from the host to my vSphere Appliance and backwards. I don´t see any drops
-> Provider says that on his side there is no firewall
Does anybody have any idea? I need to have the ESXi in my Cluster for all further projects so this is very important for us.
Thank you very much
Are TCP 902/903 open in both directions? This will happen if its only open in one direction...
take a look this is the rule on the inside interface
and this is the outside interface
There is the complete TCP IP Stack open. Also I don´t see any drops at the firewall log.
yes of course, thats your Problem!
I had the same problem and this kb help me to solve my problems
But you didn't forget the firewall rules for the vcenter and the esxi server.
like you see it in my earlier post I opened the complete IP-Stack for communicatig from the ESXi to my local enviroment and backwards.
Just for understanding ... I have to modify the vpxa.cfg file from my ESXi - Host at Hetzner.de?
And at ExtESXi I have to add the NAT-IP-Adress from my local vSphere-Server means the
Yep there you must insert the external IP from your vcenter and you must add a NAT Rule in your Firewall for the following Ports:
So that the ESXi can Communicate with your vcenter through the FW...
As example my FW Rule in pFsense: https://www.evernote.com/shard/s50/sh/185c53c8-df3a-4593-9ea1-b87c1affb1c6/f577d8e2ae36eb2ff223e3e9f...
thank you very much. The link to VMware KB: Using NAT between the vCenter Server system and ESXi/ESX hosts
and editing vpxa.cfg with the public IP from my enviroment helped. Also I had an issue with wrong natting from my internal enoviroment.
Now the only and last question is how I can harden my ESXi in the WAN. Are there any KBs what services must run and how I can harden the system perfectly?
Thank you all for your answers and your very fast help!
sorry for coming back that late. Had an issue that I kicked me out with my firewall configuration. Am I right that normally it´s enough to edit all the incoming ports to the external NAT Ip from my network?
I edited this incoming services to my NAT-IP
Don´t do this for the DCHP-Client I think there are running the services lbtd, vpxa, Direct Console UI, CIM-Server and for all the rest if nothing is listening on the ports nothing can answer.
Do you all also think that´s enough for a ESXi-Server directly hosted at a service provider? Or what else do you would do to harden the server?