VPN from a vSphere 5.1 VM WIN7SP1Pro Fails

jgover · ‎05-09-2016

Hi,

Is there any reason why I cannot use VPN client software to connect to a Public facing private network?

- The VM can access the Internet fine.

- It connects and gets a private IP address

- It then fails "Client did not acknowledge banner request"

Support are stating the ports being blocked by a firewall or a non-IPSec aware NAT router and pointing the issue back to vSphere.

I stated that I am not running vShield Edge, NSX or any of the sort. I am just pointing my vswitches to the VLANs on the physical switches.

I am stating that the problem is the VPN software or the network Layer 3 routers.

I am just reaching out here to ensure I am not missing something on how this VM is routed on the intricacies of vSphere 5.1 networking that I maybe missing.

The only thing that comes close to this topic is people using VMWare Workstation and their problem was solved using bridge networking.

Cisco VPN Client inside a virtual machine | [H]ard|Forum

Thanks

vHaridas · ‎05-10-2016

if you can access Internet on your VM without any issue, then this rules out any possibility of any Network issue in VMware.

It seems your Internet Firewall is blocking communication between VPN and your VM.

Check internet Firewall for connections to VPN and if it is blocking anything.

Also disable any Anti Virus on VM during testing connection.

Please consider awarding points for "Correct" or "Helpful" replies. Thanks....!!! https://vprhlabs.blogspot.in/

Muthur85 · ‎05-10-2016

Typically a Banner not received type error is caused by ports being blocked by a firewall or a non-IPSec aware NAT router somewhere.

If the Contivity router is set to try and use NAT'ed VPN connections you can get around most of the issues, but it has to be configured on the route

jgover · ‎05-12-2016

This works if you install VMware Workstation using Bridge mode. This is an awful waste of licensing and resources though.

What works now is this:

- Regular WIN7 VM

- VMware Workstation installed on that VM

- Install another WIN7 VM inside of VMware Workstation

- Use Bridge mode.

- Bobs you Uncle.

But that is costly: Two WIN7 licenses and VMware Workstation license.

Anyone know of a way around this?

Thanks

Jeff

vHaridas · ‎05-12-2016

In my Organization Supports teams are using Windows 2008 VMs to connect to Client Cisco, Juniper VPNs for support purpose.

Once VPN gets connected they access VM console to connect VM and manage client systems.

Everything works perfect since couple years.

ESXi version is 5.5.

can you try to deploy windows 2008 on ESXi and connect to VPN.

Please consider awarding points for "Correct" or "Helpful" replies. Thanks....!!! https://vprhlabs.blogspot.in/

jgover · ‎05-13-2016

Hi,

Yes we do the same for support to external Organizations.

I do not see how that would make any difference when Windows 7 and Server 2008 R2 based on same kernel. If you could elaborate more on the 2008 server setup.

- Is running HyperV VM

- Multiple NICs

That banner message error is obviously coming back on initial connection (our IP address) but the VPN client has already established a tunnel connection (new IP) and already dropped our subnet ( Not Allow Split Tunnel ). I know this because I ran netstat to monitor connections.

We need a network guru to chime in here. I bet they will know the answer in a second. Probably something to do with how the vswitch, ESXi and the VM establish network connections. Maybe there is something we need to change or open on the ESXi firewall????

Thanks

Jeff

vHaridas · ‎05-13-2016

First of all you don't need to change anything on ESXi Firewall.

Here is my setup -

vCenter server with other too many production Host, clusters and VMs.

for Support VPN purpose - One Standard alone ESXi Host in same vCenter with Windows 2008 R2 VMs running on it.

Local Disk Storage is used for VMs and Standard Virtual Switch and PortGroups are used with Multiple VLANs.

Each VMs has Single NIC with Internal LAN IP assigned which has Internet connectivity and can access other LAN systems, DNS...etc

Users Connect to vCenter server using VI Client and access their VM console and connect to Client VPN.

as users connect to Client VPN, those VMs get disconnected from local LAN Network.

Due to routing, some times same IP network at client network and in office and that is normal as long as you are connected to client network.

Once users disconnect VPN on VM, then again VM can access LAN services or internet without any issue.

Please consider awarding points for "Correct" or "Helpful" replies. Thanks....!!! https://vprhlabs.blogspot.in/

vHaridas · ‎05-13-2016

on the ESXi Host VMs, Did you tried with disabling Windows Firewall or Anti virus software?

Also you can try to run wireshark on same VPN VM and see where and at what step connection is getting blocked.

Please consider awarding points for "Correct" or "Helpful" replies. Thanks....!!! https://vprhlabs.blogspot.in/

jgover · ‎05-13-2016

Hi,

Yes that was my first step, disabled all firewall Domain, Home, Public and disabled AV software.

I had a colleague install it on a physical WIN7 VM at the office ( same Network gear at all sites) and it worked. So that tells me it's back to the network guys at the other data center site for answers.

I will install wireshark to tell them where it is dropping.

Thanks

Jeff