Host connection issues

Just been assigned a ticket for a new ESXi installation with connection issues, from a remote office the customer is not able to connect to the host in the remote office using the vSphere client (the host webpage doesn’t even load up past the security certificate warning), he is able to connect to the host directly from a machine at the local site. The error message is “The request failed because the remote server took long to respond”.
From the branch office, he is also not able to log directly into the hosts at the main site or access the webpages but he is able to load the vCenter server web page as well as log into it using the vSphere client, but he is not able to add the host to vCenter either (request timed out error).
The two sites are connected together by a site-to-site VPN and the person who looks after the both firewalls has opened ports 80/443/902 in both directions on both firewalls, below is what I have checked.

Verified host networking details.
Telneted to the host/vCenter on 40/443/902 and the ports are open
Checked the ESXi firewall on the remote host and it has the default settings;
Tested the ESXi build (OEM image) on another server at the main site and that works fine
Installed ESXi on another machine at the remote site using the same build as the main office hosts and I still have the same issue.
I’ve run packet captures from both sites and I can see communication between the host and the client/vCenter, this is also confirmed by a tcpdump.
I have gone as far as having the all the management ports opened on both firewalls.

My gut feeling is that it is a firewall issue but I am not sure how I can prove it.
Any suggestions are most welcome.

Find more posts tagged with

Comments

Mikdilly

Could be DNS issue if your connecting by host name in Vsphere client, have you tried connecting by ip address?

tstrip007

Was thinking DNS as well. Did you manually add the DNS entry for the host?

Essendon

- How bad's the latency between the two sites?
- Version of vSphere? There could be SSO issues. 'Use Windows Sessions Credentials' doesnt always work with SSO.
- Any recent upgrades?
- What's the version of the vSphere client you have? Upgrade it if it's older.

atorven

@Mikdilly and tstrip007 - Same issue with trying to connect via IP, I already have a static entry in DNS for this host.
@Essendon-Average latency is around 300 ms (sometimes higher), the host is running 5.1.0 build 106549, and the vCenter server is running 5.1.0 880146, vSphere client is on 5.1.0 build 860230, tried the same build but with no avail. No recent upgrades have been done at the main site.
The latency between the two sites was an initial concern for me but when I spoke to Vmware they didn’t have any solid figures on any minimum requirements for latency, because the customer can access the host from the LAN at the remote site, VMware support won’t take it any further as they can’t see any wrong with the host, they reckon it’s a network issue.
The fact that they can access vCenter going from the remote site to the main site but not vice versa is bugging me.

Mikdilly

What credentials are being used to log into vsphere client, Host or AD?

dsp2267

atorven wrote: »

Verified host networking details.

Telneted to the host/vCenter on 40/443/902 and the ports are open

Checked the ESXi firewall on the remote host and it has the default settings;

Tested the ESXi build (OEM image) on another server at the main site and that works fine

Installed ESXi on another machine at the remote site using the same build as the main office hosts and I still have the same issue.

I’ve run packet captures from both sites and I can see communication between the host and the client/vCenter, this is also confirmed by a tcpdump.

I have gone as far as having the all the management ports opened on both firewalls.

My gut feeling is that it is a firewall issue but I am not sure how I can prove it.
Any suggestions are most welcome.

I assume the hosts at the main site and at the remote site are on different subnets. Any way you could temporarily set up a test host at the remote site with an IP address in the address range used by the main site? Aside from the VPN tunnel and the latency, the first difference that comes to mind is addressing, and I can imagine a firewall rule that was cut-n-pasted from a main site FW to the remote site FW without the rule being changed to reflect the remote site's addressing scheme.

atorven

@ Mikdilly – using the local root account to connect to the host.
@dsp2267 – Yes, both sites are on different subnets, changing the addressing scheme at the remote site would mean changing the firewall/router configs on both sides, this is a busy time of the year for the client so I doubt they would be willing to undertake such a change.
They have told me that they can access other hosts through VPN tunnels at other remote sites and they have allowed all traffic to their remote sites through the main site firewall so I'm looking at new remote site, they told me that it's on a DSL connection using PPPOE, I remember reading somewhere about PPPOE connections requiring modified MTUs but they've got other applications (AD/Exchange/SQL/Citrix etc) running at this time without issue.