VMware ESXi Connection Issue

[Carlosinfl]

I have a huge RAID 5 NAS device (10.1.1.115/24) on my internal network and the machine I use to connect to my ESXi server(s) is 10.1.1.50/24. However I do have a server running ESXi on my DMZ interface of my Firewall (Cisco ASA) and the ESXi server IP is 192.168.0.200/24. The problem is when I connect to any server running ESXi from VMware client on 10.1.1.50/24 it works great except the one server on the DMZ interface which is 192.168.0.200/24. I can connect but when I try to install any virtual machines on this host, it takes hours rather than minutes. I can only assume the problem is that I'm trying to build a virtual machine on the DMZ network (192.168.0.x/24) rather than the 10.1.1.x/24 network like I normally do. I don't have any connection errors and nothing is being blocked at the Firewall from what I can see. It's just beyond slow. If I build a virtual server, I usually leave it for the next day because that's how long the disk formatting process takes.


Anyone have any suggestions? Just to be clear:


10.1.1.50 (VMware client) ---> 10.1.1.x (ESXi server) = no problem

10.1.1.50 (VMware client) ---> 192.168.0.x (ESXi server) = super slow disk formatting and installation


All ESXi servers use NFS to map to the NAS device listed above where all the virtual machine shares are stored.


Please help!

 

[StarTrek4U]

The first test is the easiest one- to see if it's a network or host related problem, see about bringing the 192 ESXi box on to the 10.1 network and see if the problem persists.

Does the 192 host connect to the NAS on the 10 network? If so, you're going to want to check your routing between them as well as ensure that there's no packet inspection, AV, etc that your firewall is doing on that traffic as well.

 

[k1pp3r]

What do your access lists look like on for the DMZ?

 

[Carlosinfl]

The first test is the easiest one- to see if it's a network or host related problem, see about bringing the 192 ESXi box on to the 10.1 network and see if the problem persists.

Does the 192 host connect to the NAS on the 10 network? If so, you're going to want to check your routing between them as well as ensure that there's no packet inspection, AV, etc that your firewall is doing on that traffic as well.

When I change the server from 192.168.0.x to a 10.1.1.x IP, it's amazing fast installing.

The server on 192.168.0.x subnet is in fact connecting to the NFS share where it stores all data on 10.1.1.x.

What do your access lists look like on for the DMZ?

I'm going to export that to a text file so I can review it in more detail.

 

[Valnar]

Could be an ASA issue. I'm not clear on how ESXi gets to the DMZ.

What does your global_policy policy map look like? Remove it totally and see what happens. It could be one of the inspect statements messing up NFS.

 

[StarTrek4U]

Yeah, this sounds like the ASA is doing something with the traffic. The other option would be if you're using jumbo frames and there's a config mis-match somewhere along the way with one of the pieces of gear.

 

[k1pp3r]

You are going to need to put in a NAT rule for the DMZ to get it to work

Type: Exempt
original source: Inside network
Original Destination: DMZ

That should let it communicate one way hopefully

 

[NetJunkie]

Don't pass NAS through a firewall. Use a private network to the ESXi host. It's killing your performance.

 

[k1pp3r]

Don't pass NAS through a firewall. Use a private network to the ESXi host. It's killing your performance.

That would be ideal, if it the OP can do it.