OpenVPN + ESXi some ip unreachable

andmattia

Hi All

after some months in test env we implement, with alix hw, our network solution.

During the test period we use OpenVPN and in some case some IP are unreachable but we think that happen because pfsense was vm on the same node of the server but now the situation is the same.

so, we add a new node on esxi and in the new node I'm able to connect to all machine even one (vm ware center) but the situation is very strange.

Any one have idea or suggestion where I can try to invastigate about this issue?

thks to all

Mattia

Reiner030

Hi,

you modified your instances as suggested here?

http://doc.pfsense.org/index.php/CARP_Configuration_Troubleshooting#VMware_ESX.2FESXi_Users

cmb

The above is only if you're using CARP which it doesn't sound like you are. Those shouldn't be changed unless you're using CARP.

It's not clear to me what the setup is like, and what the specific problem is. It sounds like a general network connectivity problem, maybe the hosts don't have the correct default gateway set or have a local firewall which makes them not reachable off-subnet, amongst may other possibilities.

Reiner030

@cmb:

The above is only if you're using CARP which it doesn't sound like you are. Those shouldn't be changed unless you're using CARP.

sure? It's now month ago but as I remember it influes not only my CARP IP but also my real interface IPs/MAC Adresses in ARP cache of same/other firewalls so I didn't reach even the testing / later slave pfsense.

Pershaps interesting question in this case to te originial poster:
Do your servers which didn't reach the virtual pfsense reach other VM guests ?

cmb

@Reiner030:

@cmb:

The above is only if you're using CARP which it doesn't sound like you are. Those shouldn't be changed unless you're using CARP.

sure? It's now month ago but as I remember it influes not only my CARP IP but also my real interface IPs/MAC Adresses in ARP cache of same/other firewalls so I didn't reach even the testing / later slave pfsense.

Yes, the only reason that's required is because VMware will strictly send the MAC of the interface to that VM when not in promiscuous. CARP uses virtual MACs, and the only way to get MACs other than the VM's MAC to the VM is promiscuous mode. You get either one MAC or all the MACs with the stock vswitches.

andmattia

Update

I'm so frustrating because the situation is vary strange. the 2 ESX server have someone VM reacheable and someoneelse not reacheable.

My network x.x.3.x (fist esx_1 .2 second esx_2 .3 and vcenter .4) all this Ip when I use openVpn are no reachable.
Today I test all IP and I found that 3 machine in esx_1 are not reacheble and 4 works fine.

the situation is the same in the second esx_2.

If I use PPTP Vpn all works fine. Any idea?

gerdesj

I use OVPN on a large number of ESXi based pfSenses and have never had a problem.

So, how is your OpenVPN set up?  Do you use vShield?  What version of VMware?

Cheers
Jon

andmattia

after many & many & many check.

I simple recreate OpenVPN server with differrent network number and it's work fine. I don't know why… but it's work!

mattia