I have just set-up a test ESXi 5 server. I am able to ping the host, traceroute to the host, ssh to the host, view the https page of the host, browse the datastore online of the host.
However, I can not login to the host using vSphere. It keeps timing out when loading inventory.
The network is about like this...
PC (vlan 4) ----> (vlan 4) Cisco router (vlan 3) ----> (vlan 3) Cisco router (vlan 1) ----> (vlan 1) vyatta router on ESXi 4.1 (vlan 2) ----> (vlan 2) ESXi 5 host
The 4.1 box is part of a cluster on our production systems, and has a trunk port. Sub-interfaces are created on the 4.1 box to allow access to the various vlans. The ESXi 5 host is on an access switchport assigned to vlan2.
Any thoughts?
Hi,
I recommend the following:
1) check /var/log/auth.log on the host
2) restart management services with services.sh and test again
3) run network dump on vyatta with filter for source (workstation) and destination (host) IP addresses and confirm no communication is being blocked (though only tcp port 443 should be needed from vSphere client to the host)
4) try connecting to the host from another workstation with vSphere Client (btw, can you connect to 4.1 host on the same vlan using the same workstation?)
5) can you confirm routing is not asymetric, meaning traceroute from source->destination and destination-> source should hit the same hops
6) sometimes it makes sense to temporarily disable firewall on esxi; can you run: esxcli network firewall set --enabled false (revert it back when done testing)
Hope above helps
Peter D
Okay, so check this out...
1.) I did not see anything in auth.log
2.) Didn't change anything
4.) Same Issue
5.) It is not
6.) No change
However, with 3... when tshark was not running, I could not connect. When "tshark -i <int> -R ip.src==<vhost_ip>||ip.dst==<vhost_ip>" was running... I could connect just fine. If I stop the tshark, I have problems connecting again.
Any thoughts on that?
With regards to #4 (or the second part of it), can you confirm whether you've attempted to connect from vSphere client on a machine in the same network/vlan as your destination esxi host?
Peter D.
My mistake... I left that out.
If I connect from the same subnet, there seems to be no issue. However, I've tried everything I could think of to find out what the problem is. I've adjusted MTU values, ensured that firewalls are disabled, made sure routes are all there, etc.
Hi,
Check if all the required ports are open or not
Product | Port | Protocol | Source | Target | Purpose |
ESXi 5.x | 22 | TCP | Client PC | ESXi 5.x | SSH Server |
ESXi 5.x | 53 | UDP | ESXi 5.x | DNS Server | DNS Client |
ESXi 5.x | 68 | UDP | ESXi 5.x | DHCP Server | DHCP Client |
ESXi 5.x | 80 | TCP | Client PC | ESXi 5.x | Redirect Web Browser to HTTPS Service (443) |
ESXi 5.x | 88 | TCP | ESXi host | Active Directory Server | PAM Active Directory Authentication - Kerberos |
ESXi 5.x | 111 | TCP | ESX/ESXi Host | NFS Server | NFS Client – RPC Portmapper |
ESXi 5.x | 111 | UDP | ESX/ESXi Host | NFS Server | NFS Client – RPC Portmapper |
ESXi 5.x | 123 | UDP | ESX/ESXi Host | NTP Time Server | NTP Client |
ESXi 5.x | 161 | UDP | SNMP Server | ESXi 4.x Host | SNMP Polling. Not used in ESXi 3.x |
ESXi 5.x | 162 | UDP | ESXi Host | SNMP Collector | SNMP Trap Send |
ESXi 5.x | 389 | TCP/UDP | ESXi host | LDAP Server | PAM Active Directory Authentication - Kerberos |
ESXi 5.x | 427 | UDP | ESX/ESXi Host | ESX/ESXi Host | CIM Service Location Protocol (SLP) |
ESXi 5.x | 443 | TCP | VI / vSphere Client | ESX/ESXi Host | VI / vSphere Client to ESX/ESXi Host management connection |
ESXi 5.x | 443 | TCP | ESX/ESXi Host | ESX/ESXi Host | Host to host VM migration and provisioning |
ESXi 5.x | 445 | UDP | ESXi host | MS Directory Services Server | PAM Active Directory Authentication |
ESXi 5.x | 445 | TCP | ESXi host | MS Directory Services Server | PAM Active Directory Authentication |
ESXi 5.x | 445 | TCP | ESXi host | SMB Server | SMB Server |
ESXi 5.x | 464 | TCP | ESXi host | Active Directory Server | PAM Active Directory Authentication - Kerberos |
ESXi 5.x | 514 | UDP/TCP | ESXi 5.x | Syslog Server | Remote syslog logging |
ESXi 5.x | 902 | TCP/UDP | ESXi 5.x | ESXi 5.x | Host access to other hosts for migration and provisioning |
ESXi 5.x | 902 | TCP | vSphere Client | ESXi 5.x | vSphere Client access to virtual machine consoles (MKS) |
ESXi 5.x | 902 | TCP/UDP | ESXi 5.x | vCenter Server | (UDP) Status update (heartbeat) connection from E SXi to vCenter Server |
ESXi 5.x | > 1024 (dynamic) | TCP/UDP | ESXi Host | Active Directory Server | Bi-directional communication on TCP/UDP ports is required between the ESXi host and the Active Directory Domain Controller (via the netlogond process on the ESXi host). See Active Directory and Active Directory Domain Services Port Requirements and MS article 179442. |
ESXi 5.x | 2049 | TCP | ESXi 5.x | NFS Server | Transactions from NFS storage devices |
ESXi 5.x | 2049 | UDP | ESXi 5.x | NFS Server | Transactions from NFS storage devices |
ESXi 5.x | 3260 | TCP | ESXi 5.x | iSCSI storage server | Transactions to iSCSI storage devices |
ESXi 5.x | 5900 to 5964 | TCP | ESXi 5.x | ESXi 5.x | RFB protocol, which is used by management tools such as VNC |
ESXi 5.x | 5988 | TCP | CIM Server | ESXi 5.x | CIM transactions over HTTP |
ESXi 5.x | 5989 | TCP | vCenter Server | ESXi 5.x | CIM XML transactions over HTTPS |
ESXi 5.x | 5989 | TCP | ESXi 5.x | vCenter Server | CIM XML transactions over HTTPS |
ESXi 5.x | 8000 | TCP | ESXi 5.x (VM Target) | ESXi 5.x (VM Source) | Requests from vMotion |
ESXi 5.x | 8000 | TCP | ESXi 5.x (VM Source) | ESXi 5.x (VM Target) | Requests from vMotion |
ESXi 5.x | 8100 | TCP/UDP | ESXi 5.x | ESXi 5.x | Traffic between hosts for vSphere Fault Tolerance (FT) |
ESXi 5.x | 8182 | TCP/UDP | ESXi 5.x | ESXi 5.x | Traffic between hosts for vSphere High Availability (vSphere HA) |
ESXi 5.x | 8200 | TCP/UDP | ESXi 5.x | ESXi 5.x | Traffic between hosts for vSphere Fault Tolerance (FT) |
ESXi 5.x | 8301 | UDP | ESXi 5.x | ESXi 5.x | DVS Port Information |
ESXi 5.x | 8302 | UDP | ESXi 5.x | ESXi 5.x | DVS Port Information |
ESXi 5.x | 31100 | TCP | vCenter | SPS Server | Internal Communication Port |
ESXi 5.x | 31000 | TCP | SPS Server | vCenter | Internal Communication Port |
I can't find that any ports are being blocked.
I can log in using vSphere only when tshark is running on the vyatta router. Any thoughts why this would be so?
I've disabled all firewalls along the path, I've rebooted everything, I can ping the entire path, traceroutes are exactly the same back and forth. Nothing but running tshark has allowed me to login to the ESXi box.
Just to make sure that your dns is resolving both ways, since inventory and search service depends on routing to be proper both ways
DNS is working just fine.
No matter what I've done, it still hasn't worked.
The only thing that allows me to connect is to have tshark (terminal version of wireshark) running on the vyatta router. If it's not running, the second I start it up vSphere finishes loading the inventory and brings up the main screen.
If I stop tshark while I'm connected to vSphere, it will disconnect the session eventually.
The problem was a bug when using the VMWare network driver in Vyatta.
Switching to the E1000 driver fixed the issue.
Please reference the following Vyatta forum post for further details: