vidarne
Contributor
Contributor

problem add host to Vcenter gets disconected after 30-60 sec

Site A: 192.168.1.0/24

Site B: 192.168.10.0/24

openvpn tun: 10.0.10.0/24

we have an offsite esxi host at site B so is connected over openvpn (Pfsense) all the hosts on site A and B can ping each other no connection problems over the vpn.  (ping time 2-3 ms)

When we add the host to vcenter 192.168.10.115 it finds the host and adds it to the Vcenter and we can see the 2 vms for about 30-60 sec then it goes over to (disconnected) and then it changes its ip address from 192.168.10.115 to 10.0.10.2 on the vcenter page after that we cant get ti to connect to vcenter with out remove it from inventory and readd it and it stays for 30-60 sec.

if i go to the connection menu on the host B on vcenter and press connect it shows the wrong ip 10.0.10.2  added the host with 192.168.10.115

if i check the vpxa.cfg file on site B it has the right ip

grep -i serverIp /etc/vmware/vpxa/vpxa.cfg

    <serverIp>192.168.1.115</serverIp>

If i try go to the host B 192.168.10.115 from site A it works fine.  and if i check the VMkernel adapter it has ip 192.168.10.115

How can i fix this issue ?

And for info so did we have the remote host at local location connected to vcenter and it worked fine, but after moving it to Site B and changed ip it gets  disconnected after 30-60 sec

0 Kudos
3 Replies
IRIX201110141
Virtuoso
Virtuoso

Most likely your missing a open FW port. Only durring adding a Host  the vCenter use 22,443 to activate the VPXA on the Host and than it waits for that VPXA responding. Not sure which ports is used but my network guy figured it within seconds.  We managed a couple of Hosts at ROBO sites trough VPN.

https://kb.vmware.com/servlet/fileField?entityId=ka134000000YAekAAG&field=Attachment_1__Body__s

Regards

Joerg

0 Kudos
vidarne
Contributor
Contributor

As far as i can see all ports are open in the firewall on both sites. if it is port 902 so is used  it is open from Site A to B. it i try telnet from site A to site B 192.168.10.115 port 902

i get a connection

Trying 192.168.10.115...

Connected to 192.168.10.115.

Escape character is '^]'.

220 VMware Authentication Daemon Version 1.10: SSL Required, ServerDaemonProtocol:SOAP, MKSDisplayProtocol:VNC , VMXARGS supported, NFCSSL supported/t

if i do a nmap scan on 192.168.10.115 from site A to site B

nmap -p 902 192.168.10.115

Starting Nmap 7.01 ( https://nmap.org ) at 2019-03-17 23:02 CET

Nmap scan report for 192.168.10.115

Host is up (0.0028s latency).

PORT    STATE SERVICE

902/tcp open  iss-realsecure

---------------------------------------------------------

nmap -sU -p 902 192.168.10.115

Starting Nmap 7.01 ( https://nmap.org ) at 2019-03-17 23:06 CET

Nmap scan report for 192.168.10.115

Host is up (0.0028s latency).

PORT    STATE         SERVICE

902/udp open|filtered ideafarm-door

So as far as i can see port 902 responds from site A to site B as open on tcp and upd and this is where the heartbeat comes from i think.

But for some reason the ip do change when adding host 192.168.10.115 to 10.0.10.2 in vcenter after it has added the esxi host.

If i look at the datastores to in vcenter for esxi cient at site B they have changed to ip from 192.168.10.115 to 10.0.10.2 and are showing as (inactive)

I guess it is some Nat problem i can't understand so is making the issue, but for me it looks like the vpn connections between site A and B works fine.

0 Kudos
vidarne
Contributor
Contributor

Found a solution but this might not be the proper way to do it but it works. (Vcenter esxi host added over openvpn site to site connection Nat problem.)

Solution:

In the Pfsense boxes, i put up 2 new outbound rule for the "vpn adapters" on both sites and told pfsense to nat source ip to Nat address.

For site A

interface vpn  192.168.1.115/32  Nat address 192.168.1.115/32

For Site B

interface vpn 192.168.10.115/32 Nat address 192.168.10.115/32

Now when i add the host in vcenter and add the ip of the esxi host 192.168.10.115 the ip stays after 60 seconds and do not change to the vpntun ip so is 10.0.10.2

Not sure if it matters but i did read on some forum somewhere that outbound ports had to be static and not random so i set pfsense not randomize outbound ports on the nated address. (Static)

If any have an input on how to do this the proper way I'm glad to hear about it.

0 Kudos