Hi Friends,
I have a very strange issue with an ESXi in my LAN and an ESXi as a root-Server at my provider hetzner.de
2 ESXi Hosts vmWare 5.5
1 in local LAN
1 at hetzner.de root-Server
1x vSphere Server Appliance 5.5
Cisco ASA Firewall
Own public IP for ASA and ESXi
This is the problem I have.
- When I directly connect with vSphere-Client to the ESXi host at my provider I can do all I want to do. There are no disconnects and all is fine.
- I added the host to my vSphere Appliance and my cluster. Here I get all 30 up to 60 seconds a disconnect with this Server. After I reconnect the host the host is once again connected for about 30 up to 60 seconds.
-> I removed it from my cluster
-> On my ASA configuration the complete IP-Protocoll is allowed from the host to my vSphere Appliance and backwards. I don´t see any drops
-> Provider says that on his side there is no firewall
Does anybody have any idea? I need to have the ESXi in my Cluster for all further projects so this is very important for us.
Thank you very much
Markus
Only a guess. Does DNS resolution work, i.e. is the host able to resolve the vCenter Server's FQDN and vice versa?
André
From the LAN I get all correct, nslookup on name and IP. The names are not in a public DNS listet, but the ExtEsx has only the local DNS in it´s configuration.
regards
Markus
Are TCP 902/903 open in both directions? This will happen if its only open in one direction...
// Linjo
take a look this is the rule on the inside interface
and this is the outside interface
There is the complete TCP IP Stack open. Also I don´t see any drops at the firewall log.
Markus
And from the other direction?
They´re (hetzner.de) telling me that there is no firewall. Bad thing ... the thing is why is it working that fine if it isn´t connected to the vSphere Server?
Markus
Hi,
do you use NAT for the Connection between the vCenter and the ESXi?
R/Sven
Yes we do. Our local enviroment is natted with our public IP-Adress. Can this be the point, if yes what must be done?
Markus
Hi,
yes of course, thats your Problem!
Take a look: http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=1010652&sl...
I had the same problem and this kb help me to solve my problems
But you didn't forget the firewall rules for the vcenter and the esxi server.
R/Sven
Hi Sven,
like you see it in my earlier post I opened the complete IP-Stack for communicatig from the ESXi to my local enviroment and backwards.
Just for understanding ... I have to modify the vpxa.cfg file from my ESXi - Host at Hetzner.de?
And at ExtESXi I have to add the NAT-IP-Adress from my local vSphere-Server means the
<serverIp>NAT_IP_address</serverIP>
regards
Markus
Yep there you must insert the external IP from your vcenter and you must add a NAT Rule in your Firewall for the following Ports:
902 | |
903 | |
443 |
5989
So that the ESXi can Communicate with your vcenter through the FW...
As example my FW Rule in pFsense: https://www.evernote.com/shard/s50/sh/185c53c8-df3a-4593-9ea1-b87c1affb1c6/f577d8e2ae36eb2ff223e3e9f...
And here my NAT Rule: https://www.evernote.com/shard/s50/sh/90195880-4ddf-4ad5-81b2-28ce1e60f6da/a87b8ef321ca138df39de4b6c...
Hi Vaiper,
thank you very much. The link to VMware KB: Using NAT between the vCenter Server system and ESXi/ESX hosts
and editing vpxa.cfg with the public IP from my enviroment helped. Also I had an issue with wrong natting from my internal enoviroment.
Now the only and last question is how I can harden my ESXi in the WAN. Are there any KBs what services must run and how I can harden the system perfectly?
Thank you all for your answers and your very fast help!
Markus
Hey,
no Problem
Here is the hardening guide for VMware: http://www.vmware.com/security/hardening-guides.html
Best regards
Sven
Any news?
When all questions are be answered please set the Thread to answered.
Best regards
Sven
Hi Sven,
sorry for coming back that late. Had an issue that I kicked me out with my firewall configuration. Am I right that normally it´s enough to edit all the incoming ports to the external NAT Ip from my network?
I edited this incoming services to my NAT-IP
Don´t do this for the DCHP-Client I think there are running the services lbtd, vpxa, Direct Console UI, CIM-Server and for all the rest if nothing is listening on the ports nothing can answer.
Do you all also think that´s enough for a ESXi-Server directly hosted at a service provider? Or what else do you would do to harden the server?
regards
Markus