VMware Cloud Community
cypherx
Hot Shot
Hot Shot
‎04-27-2020 05:45 AM
Jump to solution

Cannot access vrops web ui when VPN in

I have a really strange issue that I have not been able to figure out.  I almost wonder if there are firewall rules or something in apache tomcat in the vRealize Operations Manager virtual appliance or something.

When I am at home and VPN in, we are issued a 192.168.55.x IP address from a Cisco ASA ip pool.  Everything is routed fine to our private IP addresses in the entire 10.0.0.0 class A subnet.  Our vRealize Operations manager VM lives at 10.1.1.75.  No matter what I cannot get the webpage to load for this nativly on the VPN connection.  I can PING 10.1.1.75 without an issue, and I can also go into the vrops virtual appliance and ping my laptops IP (192.168.55.x) and get a response fine.  I can only load the webpage if I Remote Desktop to my PC back at work, which is in the 10.7.3.x subnet.  I can remote to other machines in other offices that are in different 10.x.x.x subnets and they all can load the vrops website too.  On vrops the default gatway is correct, and thats proven why I can ping it from any other subnet.  I'm just not sure why I get ERR_CONNECTION_TIMED_OUT in every browser.

Its not a show stopper, I can remote control onto another machine in our network and connect from there, but its just not as convenient. 

I've tried via the IP address that all the links from our vcenter 6.7u3 link to, and I also tried the DNS name (which does resolve correctly when pinged) https://vrops.domain.com/ .  Neither the regular operations UI or the admin UI will load over VPN.  I thought maybe it was DNS so I ensured my lapop which is VPN in has proper forward and reverse DNS entries in our Windows DNS server.  It does, and vrops virtual appliance can ping me sucessfully by my computer name.

So it seems the network traffic is working fine (at least ping) but for some reason apache tomcat (or whatever the webserver is) is doing some kind of filtering.  We have nothing in place to block port 443 or 80 from VPN users back to HQ. 

Final question, why doesn't vcenter link it via dns name?  That would avoid the certificate error.  Otherwise when I RDP to a machine back in the office to access it, I can just type the DNS name in and there's no certificate errror since we loaded a cert on it from our Windows CA.

Reply
0 Kudos
1 Solution

Accepted Solutions
cypherx
Hot Shot
Hot Shot
‎05-06-2020 12:58 PM
Jump to solution

Found out when doing an audit there was an ACL on the core switches that only allowed IT Management subnet access to port 443 of vrops.  Revising this resolved the issue.  Not a vmware issue at all then.

View solution in original post

Reply
0 Kudos
2 Replies
cypherx
Hot Shot
Hot Shot
‎04-28-2020 06:12 AM
Jump to solution

I figured I would stump the community.  Might have to copy and paste my post into a vmware ticket.

But this is an interesting find.  So if I wireshark my laptop I just see TCP Retransmissions going from my laptop at home on VPN to the vrops server, but never anything back from the vrops server.  However if I PING I get full two way communication back and forth.  Thought he mac address of vrops is reporting its 00:11:22:33:44:55 but yet in the settings for the VM its auto genrated a vmware mac address beginning with 00:50:56.  So this is strange, I wonder if the ASA firewall knows that is a spoofed mac and won't let any traffic besides ping past it?

I searched our firewall config for 10.1.1.75 (the IP of vrops) and nothing came up.  We did not explicitly block or define this as an object attached to other rules or anything of that nature.  Not sure why when on VPN we can PING vrops but we cannot access the page.

Preview file
127 KB
Reply
0 Kudos
cypherx
Hot Shot
Hot Shot
‎05-06-2020 12:58 PM
Jump to solution

Found out when doing an audit there was an ACL on the core switches that only allowed IT Management subnet access to port 443 of vrops.  Revising this resolved the issue.  Not a vmware issue at all then.

Reply
0 Kudos