Re: Strange behavior with ESXi root Server at Hetz...

AndroidFiguren · ‎02-02-2014

Hi Friends,

I have a very strange issue with an ESXi in my LAN and an ESXi as a root-Server at my provider hetzner.de

2 ESXi Hosts vmWare 5.5

1 in local LAN

1 at hetzner.de root-Server

1x vSphere Server Appliance 5.5

Cisco ASA Firewall

Own public IP for ASA and ESXi

This is the problem I have.

- When I directly connect with vSphere-Client to the ESXi host at my provider I can do all I want to do. There are no disconnects and all is fine.

- I added the host to my vSphere Appliance and my cluster. Here I get all 30 up to 60 seconds a disconnect with this Server. After I reconnect the host the host is once again connected for about 30 up to 60 seconds.

-> I removed it from my cluster

-> On my ASA configuration the complete IP-Protocoll is allowed from the host to my vSphere Appliance and backwards. I don´t see any drops

-> Provider says that on his side there is no firewall

Does anybody have any idea? I need to have the ESXi in my Cluster for all further projects so this is very important for us.

Thank you very much

Markus

a_p_ · ‎02-02-2014

Only a guess. Does DNS resolution work, i.e. is the host able to resolve the vCenter Server's FQDN and vice versa?

André

AndroidFiguren · ‎02-02-2014

From the LAN I get all correct, nslookup on name and IP. The names are not in a public DNS listet, but the ExtEsx has only the local DNS in it´s configuration.

regards

Markus

Linjo · ‎02-02-2014

Are TCP 902/903 open in both directions? This will happen if its only open in one direction...

// Linjo

Best regards, Linjo Please follow me on twitter: @viewgeek If you find this information useful, please award points for "correct" or "helpful".

AndroidFiguren · ‎02-02-2014

take a look this is the rule on the inside interface

and this is the outside interface

There is the complete TCP IP Stack open. Also I don´t see any drops at the firewall log.

Markus

Linjo · ‎02-02-2014

And from the other direction?

Best regards, Linjo Please follow me on twitter: @viewgeek If you find this information useful, please award points for "correct" or "helpful".

AndroidFiguren · ‎02-02-2014

They´re (hetzner.de) telling me that there is no firewall. Bad thing ... the thing is why is it working that fine if it isn´t connected to the vSphere Server?

Markus

Vaiper · ‎02-03-2014

Hi,

do you use NAT for the Connection between the vCenter and the ESXi?

R/Sven

don't forget: if answers are helpful, please award points

AndroidFiguren · ‎02-03-2014

Yes we do. Our local enviroment is natted with our public IP-Adress. Can this be the point, if yes what must be done?

Markus

Vaiper · ‎02-03-2014

Hi,

yes of course, thats your Problem!

Take a look: http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=1010652&sl...

I had the same problem and this kb help me to solve my problems

But you didn't forget the firewall rules for the vcenter and the esxi server.

R/Sven

don't forget: if answers are helpful, please award points

AndroidFiguren · ‎02-03-2014

Hi Sven,

like you see it in my earlier post I opened the complete IP-Stack for communicatig from the ESXi to my local enviroment and backwards.

Just for understanding ... I have to modify the vpxa.cfg file from my ESXi - Host at Hetzner.de?

And at ExtESXi I have to add the NAT-IP-Adress from my local vSphere-Server means the

<serverIp>NAT_IP_address</serverIP>

regards

Markus

Vaiper · ‎02-03-2014

Yep there you must insert the external IP from your vcenter and you must add a NAT Rule in your Firewall for the following Ports:

902
903
443

5989

So that the ESXi can Communicate with your vcenter through the FW...

As example my FW Rule in pFsense: https://www.evernote.com/shard/s50/sh/185c53c8-df3a-4593-9ea1-b87c1affb1c6/f577d8e2ae36eb2ff223e3e9f...

And here my NAT Rule: https://www.evernote.com/shard/s50/sh/90195880-4ddf-4ad5-81b2-28ce1e60f6da/a87b8ef321ca138df39de4b6c...

don't forget: if answers are helpful, please award points

AndroidFiguren · ‎02-06-2014

Hi Vaiper,

thank you very much. The link to VMware KB: Using NAT between the vCenter Server system and ESXi/ESX hosts

and editing vpxa.cfg with the public IP from my enviroment helped. Also I had an issue with wrong natting from my internal enoviroment.

Now the only and last question is how I can harden my ESXi in the WAN. Are there any KBs what services must run and how I can harden the system perfectly?

Thank you all for your answers and your very fast help!

Markus

Vaiper · ‎02-06-2014

Hey,

no Problem

Here is the hardening guide for VMware: http://www.vmware.com/security/hardening-guides.html

Best regards

Sven

don't forget: if answers are helpful, please award points

Vaiper · ‎02-10-2014

Any news?

When all questions are be answered please set the Thread to answered.

Best regards

Sven

don't forget: if answers are helpful, please award points

AndroidFiguren · ‎02-17-2014

Hi Sven,

sorry for coming back that late. Had an issue that I kicked me out with my firewall configuration. Am I right that normally it´s enough to edit all the incoming ports to the external NAT Ip from my network?

I edited this incoming services to my NAT-IP

Don´t do this for the DCHP-Client I think there are running the services lbtd, vpxa, Direct Console UI, CIM-Server and for all the rest if nothing is listening on the ports nothing can answer.

Do you all also think that´s enough for a ESXi-Server directly hosted at a service provider? Or what else do you would do to harden the server?

regards

Markus

All

Strange behavior with ESXi root Server at Hetzner.de