Client can reach VMs, but can't connect to physical hypervisors

Urraca

Gawd
Joined
Sep 13, 2002
Messages
806
Okay, I'm not a virtualization guy--but I know the basic concepts and I use VMware Workstation often. I'm a security/firewall/networking guy.

I'm implementing a new firewall for a client, and after a complete review of his existing architecture, on the go live date he springs on me "oh I have 4x virtual networks in a VMware Environment as well". No big deal, I had to create 4 virtual interfaces on the Firewall and allow the usual traffic to and from those networks.

The client can access every single virtual machine he has. He can not access the two physical machines/hyper-visors that hosts the machines.

Aka, I believe he's using VSphere client to connect to 10.10.x.x host and 10.10.y.y, and they are unresponsive to that.

My firewall is not dropping traffic via rules etc.

So if anyone has any quick hints of what to look to for, that would be greatly appreciated. I only have an hour maintenance window with him at night, so I have limited time to play around.

Thanks
 
Is he able to connect to the those hosts in a browser? ie- http://10.10.x.x should bring him to a page where he can download the VSphere client and have links to misc admin info. If he can get to that page it is likely a networking/firewall problem and not a problem on the ESX hosts themselves. Otherwise you may have to go to a physical terminal for those hosts to see what's going on with the network configuration since I'm assuming you can't get onto the SSH tech support console for those either.

I know you said that you have no rules on the firewall setup for those IPs, but just for reference here's a post about what ports to have open for remote management: http://communities.vmware.com/message/1044988#1044988
 
Hrm, well the vSphere Client uses port 902 to directly connect to an ESX(i) host, and 903 to do MKS (mouse keyboard screen, VMware's funky VNC). If it were connecting to vCenter it would use 443.

I know you said you're not dropping, but have him telnet to the ip of the host on port 902 to see if he can even touch it. If not, its being dropped some place.
 
Is he able to connect to the those hosts in a browser? ie- http://10.10.x.x should bring him to a page where he can download the VSphere client and have links to misc admin info. If he can get to that page it is likely a networking/firewall problem and not a problem on the ESX hosts themselves. Otherwise you may have to go to a physical terminal for those hosts to see what's going on with the network configuration since I'm assuming you can't get onto the SSH tech support console for those either.

I know you said that you have no rules on the firewall setup for those IPs, but just for reference here's a post about what ports to have open for remote management: http://communities.vmware.com/message/1044988#1044988

Thanks. Although it's not so much remote management.

Both the ESXi boxes and the client are behind the Firewall on their LAN segment. The Virtual Networks are just virtual LAN interfaces on my firewall. So essentially, It's a LAN -> LAN connection, which my firewall (and every firewall I know of) allows all traffic by default between LAN hosts).

I really appreciate the input, it's just so strange he can get to the virtual machines and they perform fine (for example his DNS/Domain controllers are virtual), but not the actualy physical ESXi boxes.
 
Last edited:
Back
Top