>If the vShield VM goes down a HA event will occur

I missed something? VM Monitoring can restart VM, but vShield appliance doesn't even have VMware Tools required for heartbeat monitoring.

---

MCSA, MCTS, VCP, VMware vExpert '2009

http://blog.vadmin.ru

Not for the appliance, for the guests, VM monitoring recognises that the guests are nolonger responding on the network and a HA event occurs

If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points

Tom Howarth VCP / vExpert

VMware Communities User Moderator

Blog: www.planetvm.net

Contributing author on "[VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment|http://www.amazon.co.uk/VMware-VSphere-Virtual-Infrastructure-Security/dp/0137158009/ref=sr_1_1?ie=UTF8&s=books&qid=1256146240&sr=1-1]”.

Can't find "Network monitoring" setting in HA cluster.

---

MCSA, MCTS, VCP, VMware vExpert '2009

http://blog.vadmin.ru

Hello,

If the vShield VM dissappears for any reason, those VMs on the protected network will no longer be able to reach any other network. This is a Failed Closed system as vShield is an appliance firewall that sits between two virtual switches routing and protecting traffic between them. Given this, if it dies there is no access between the two vSwitches.

As for HA, if a Host dies then HA should reboot the vShield appliance on the proper host. If the vShield Appliance crashes, HA can do the same for just a single VM. I have never set this up. Could you 'FT' a vShield appliance? Perhaps as long as it uses only 1 vCPU and resides on shared storage, etc. However for FT and HA to work with vShield all your hosts need to have all the networks interconnected such that your 'protected network' lives on all hosts as does your 'external' network. This does not just mean the vSwitch but it also means the related physical networks must be connected.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009

Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|
[url=http://www.astroarch.com/wiki/index.php/Virtualization_Security_Round_Table_Podcast]Virtualization Security Round Table Podcast[/url]

I did some test. I disable (or turn off) the NIC from the Guest VM via admin client. So the Guest VM no longer have its vNIC. HA event does not occur, even though the Guest VM gets isolated from network.

From what I know, HA communicates via comm channel, not TCP/IP. So a NIC failure will not trigger HA event, and the VM will not be rebooted.

So it seems to me, if the vShield VM is down, it will cause all VMs to be isolated. What's the mechanism to minimise this?

Thanks from Singapore!

e1

PS: just for completeness of the info: The cluster is 4.0, it has HA/DRS and VM monitoring turned on. If I crash a VM, it will be rebooted.

Hello,

I did some test. I disable (or turn off) the NIC from the Guest VM via admin client. So the Guest VM no longer have its vNIC. HA event does not occur, even though the Guest VM gets isolated from network.

This is not how HA works. HA works if the 'HOST' becomes isolated, not a single VM.

From what I know, HA communicates via comm channel, not TCP/IP. So a NIC failure will not trigger HA event, and the VM will not be rebooted.

A HOST physical NIC failure for the management console could trigger an HA event depending if you only have one pNIC to the management console and your current HA settings for the hOST.

So it seems to me, if the vShield VM is down, it will cause all VMs to be isolated. What's the mechanism to minimise this?

This is the nature of a failed close system, which is exactly what you want for a firewall. NOt sure I would ever want failed open. The key here is that if the vShield appliance ever dies for some reason (remember it sits between two virtual switches), then everything on the protected side gets isolated.

You would need a 'watchdog' of sorts that would either reboot the vShield Appliance (HA does this if you configure it to watch the VM).

You would need a 'watchdog' of sorts that would determine if someone 'disconnected vShield' from the virtual network and reconnect if necessary (PowerShell would work for this).

On an HA event you may need to setup all the VMs to migrate to where ever the vShield appliance ends up.

Given that you have VM monitoring enabled and HA enabled and properly setup then you need to look for 'disconnected' state on using the VI SDK and reconnect if necessary. Some of the 'security' tools out there may help.... But not positive. This would be a configuration change and deserve a warning as well.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009

Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|
[url=http://www.astroarch.com/wiki/index.php/Virtualization_Security_Round_Table_Podcast]Virtualization Security Round Table Podcast[/url]