VMware Cloud Community
truo1van
Contributor
Contributor
‎03-10-2011 11:23 PM

Out of sequence IP packets originating from VMs - ESXi 4.1

Hi,

We are currently having really obscure problem:

Environment:

* ESXi4.1 hosts, VMs: RHEL 5 and Windows 2003/2008

* Issue: Wireshark revealed IP packets originating from Linux VMs (RHEL5) are out of sequence. As the result, inter-VLANs traffic, going via the Firewall are dropping the packets (since Firewall rule to inspect packets, detects out-of-sequence IP packets rule is ON be default, thus dropping packet).

* The Linux VMs are using VMXNET2 (Enhanced) vNIC driver. Have not had the oppunity to trial out VMXNET3 (or E100 for that matter) yet.

We had to temporarily resort to leaving the Firewall rule (drop out of sequence packet) to OFF. If it was ON, the application would not work.

Note: VMs on different VLANs in this ESX Farm is required (be design) to go thru the Firewall.

I searched on the net but could not find any similar issue reported.

thanks

0 Kudos
2 Replies
truo1van
Contributor
Contributor
‎03-10-2011 11:26 PM

Would also need to add as to how we use Wireshark to sniff the out of sequnce packiet:

* Installedf Wireshark on a Windows VM, connect it to a Port Grp with VLAN 4095 (ALL).

* Turned "Promiscuous Mode" ON for the whole vSwitch, where the VMs being monitored + the Wireshark VM sit. Wireshar could "se" all packet in andout of any VMs connected to the vSwitch.

Much appreciate any feedback, suggestions

0 Kudos
ay185
Contributor
Contributor
‎03-17-2011 12:27 PM

Out of sequence packets should be okay.  Usually you want to use a filter like that to detect packets that are WAY out of sequence.  i.e. the out of sequence of the packet is more than double the receive window. TCP should be able to handle them anyway.  Its designed to deal with out of sequence packets and put them back in order.  This is what the receive window is for.  I'm not really sure I'd ever want a f/w to filter out out-of-sequence packets.  The only packets that it should filter out should also be handled by TCP anyway.  I guess there is some danger.

Google "2MSL" and "TIME_WAIT" to understand why and when you'd turn on this filter.

As for what you may be expierenceing:  Is it possible that still inspecting packet 1 when packet 2 shows up?

0 Kudos