PfSense can't ping an IP address after a certain time
-
Hi and sorry for my english.
I have a strange problem. After a certain time i can't reach an IP adddress from the pfSense PC (Web and by command Line) which is yet reachable via another computer.
My software configuration is the following:
–------------------------------------------------- ESXi 6.0
- pfSense 2.2.6
- CentOS 7 for the PC that i try to ping
My network topolgy is the following:
WAN->pfSense (VM)->LAN1 (DHCP 10.254.239.0)-->VMs with Web applications
->LAN2 (DHCP 10.254.2.0) --> Users- pfSense is installed in a Virtual Machine
- LAN1 is in charge to manage the network of all VMs which contain web applications
- LAN2 is in charge to connect the users who use the web applications available from LAN1
Context:
I Have one VM that have 2 network cards that we can called LAN1-PCx-ETH0 and LAN1-PCx-ETH1. The ip addresses of the LAN1-PCx-ETH0 & LAN1-PCx-ETH1 are declared as static addresses in the DHCP of my LAN1.
When i boot all my VMs I can reach from pfSense VM all my IPs addresses by a single ping.
After a certain time, for this machine, and only from the pfSense VM, i can't ping the LAN1-PCx-ETH1 and sometimes LAN1-PCx-ETH0. But i can reach both from another VM.
I tried to ping with the IP addresses and hostnames.Maybe i did something rong but i don't see what and where ?
Any help will be really appreciated :D
Thank you to all for your support.
Pascal
-
why do you have 2 nics on a a vm in the same network??
Are these vms all on the same host? Is there any physical network involved?
What does pfsense show for the mac in its arp table for the IP your trying to ping?
-
Hi,
Thank you for your reply.
The application that i use needs 2 network interfaces.
The VMs are on the same host (ESXi Server)
There is no physical network involved for the VMs. Physical network are only linked to pfSense, one is a physical Ethernet port available on my machine, and the second wan (called LAN2) is an USB/Ethernet interface. For all orthers machine everything works fine.
Finally, the arp table contains the good information regarding these two IPs (crowdsource.eovalue.dmo and crowdserver.eovalue.dmo)I have to precise that after a certain time the connection comes back ??? Without any change in my configuration.
? (10.254.2.1) at 00:10:60:dd:ab:c8 on ue0 permanent [ethernet] 3d.eovalue.dmo (10.254.239.91) at 00:50:56:00:02:55 on em1 expires in 992 seconds [ethernet] app.eovalue.dmo (10.254.239.90) at 00:0c:29:66:3f:89 on em1 expires in 1133 seconds [ethernet] auth.eovalue.dmo (10.254.239.89) at 00:0c:29:c1:88:33 on em1 expires in 335 seconds [ethernet] owncloud.eovalue.dmo (10.254.239.95) at 00:0c:29:fd:46:d5 on em1 expires in 231 seconds [ethernet] mapproxy.eovalue.dmo (10.254.239.94) at 00:0c:29:88:2f:4d on em1 expires in 407 seconds [ethernet] 3D-LAN2.eovalue.dmo (10.254.239.93) at 00:50:56:00:02:70 on em1 expires in 992 seconds [ethernet] 3D-LAN3.eovalue.dmo (10.254.239.92) at 00:50:56:00:02:71 on em1 expires in 1183 seconds [ethernet] geoserver.eovalue.dmo (10.254.239.114) at 00:0c:29:55:fc:9c on em1 expires in 639 seconds [ethernet] zoneminder.eovalue.dmo (10.254.239.106) at 00:0c:29:e2:18:39 on em1 expires in 1195 seconds [ethernet] crowdserver.eovalue.dmo (10.254.239.97) at 00:0c:29:91:97:68 on em1 expires in 697 seconds [ethernet] crowdsource.eovalue.dmo (10.254.239.96) at 00:0c:29:91:97:5e on em1 expires in 460 seconds [ethernet] pfSense.eovalue.dmo (10.254.239.1) at 00:0c:29:90:03:40 on em1 permanent [ethernet] ? (10.100.133.222) at 00:0c:29:90:03:36 on em0 permanent [ethernet]
-
well when you can not ping it what is in your arp table? If you can not arp for it, then no your not going to be able to ping it.. Is the machine going to sleep or something?
-
Yes this arp table is what i have when i can't ping.
No the machine is not set to sleep. It is really strange. And sometimes the link comes back and i can ping it, then sometimes later i could'nt. -
so you have the correct mac in the arp table and you can not ping it.. I would sniff on the machine your trying to ping and validate it sees the ping request, and then see if it sends a response.
If you have correct mac in your arp, I would guess firewall on host maybe? Or packets getting lost somewhere - need to figure out which it is.
-
OK, thank you for the investigation. I have to sniff the packets exchanged beetween the firewall and the client machine. I will come back to you soon with the trace.
Thanx again.