I was just reviewing the firewall logs to see if I could spot something glaring...
I was seeing log entries (for example) where an inside client tries to talk to the university enterprise DNS server over port 53 and its being rejected due to "Licensed host limit" being exceeded... It appears that I have a licensing problem that I was not aware of until now (yet another lesson learned WRT Cisco products: carefully check the licensing!) On the old unit, I'm licensed for 50 inside hosts. On the new unit, only 10!!!! I have more than 10 statically addressed server and VM hosts, never mind my network printers and client PC's! So I've sent a note to my local Cisco VAR contact. Not sure if increasing the inside host limit will entirely solve the original problem but getting the limit changed will sure help in subsequent testing. -----Original Message----- From: Gordon Pegue Sent: Friday, April 21, 2017 9:29 AM To: [email protected] Subject: RE: Hyper-V host networking issue Pings from VM to VM host, VM host to VM, server to server, VM to VM, server & VM to gateway (firewall private) all work just fine. The way the university has its enterprise network setup, I cannot ping the IP of anything outside the firewall. Server arp table lists MAC of gateway, firewall arp table lists MAC of all the inside hosts (PC's & servers & VM's) and the MAC of the enterprise gateway. There is no DC in the LAN; DNS (and DC services) are from enterprise; LAN DHCP for PC's is from firewall. DNS config settings in both firewalls are identical. So I started testing applications/services and as expected from above, everything internally was working just fine. Yipee (I thought)... It wasn't until I tried testing access from outside-in with a spare police vehicle laptop that it became apparent that something was still amiss. Laptop linked up to Sprint wireless OK; VPN tunnel to the firewall was OK (I could see the VPN tunnel listed in the firewall ASDM VPN logging/monitoring page; using ASDM from inside); mobile app that officers in-car use to connect to internal dispatch, records and NCIC services failed with an error indicating that laptop couldn't reach dispatch/records system authentication service. Hmmm... Look at network icons on Hyper-V host servers and VM's, network icons show yellow exclamation and launching google in a browser fails - can't get out. All internal pings still running just fine.... My window of opportunity to do all this has shrunk to zero so I reverted back to the old unit. I'm even more baffled now. Thoughts? -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Thursday, April 20, 2017 3:04 PM To: [email protected] Subject: [NTSysADM] RE: Hyper-V host networking issue There is some basic network testing missing here. This statement specifically: " If I remove my existing Cisco and replace it with the new Cisco, the Hyper-V host servers lose their network connection, which of course means the VM's lose theirs too." What exactly does it mean? Can the hyper-v host servers ping each other? Can the VMs ping each other? Can the VMs ping the various hosts? Can the host servers ping the public and or the private IP addresses of the 5505? In both cases, does the Hyper-V host arp table show the MAC for the private connection on the 5505? Does the ARP table on both 5505's show the MAC address for the Hyper-V servers? -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Gordon Pegue Sent: Thursday, April 20, 2017 3:01 PM To: [email protected] Subject: [NTSysADM] Hyper-V host networking issue Greets -- I've got a head-scratcher that my google-fu is not resolving. I have a Cisco ASA 5505 firewall in place at my university department perimeter. I have four physical Dell PowerEdge T710 servers on the LAN, all running WinSrvr 2008R2 x64 Enterprise. Three of the physical servers are Hyper-V machines, each hosting at least 2 WinSrvr 2008R2 x64 Enterprise guest VM's. (And one of the Hyper-V host machines has its guest VM's stopped and disabled as the physical box is going to be repurposed) All four servers have the Broadcom BCM5709C NetXtreme II GigE NIC's. The 3 Hyper-V boxes are each configured with the Virtual Switch bound to a single NIC and a statically addressed Virtual Network for the box. The VM's each have statically addressed Virtual Machine Bus Network Adapters configured. Networking/everything is fine, no problems - when using the existing firewall. I've seen none of the Broadcom issues that have been reported. I have a second ASA 5505 firewall, with up-to-date firmware and more RAM (and a maintenance agreement with a Cisco VAR - which is why I want to swap out the device). The FW configuration settings are identical, with the exception of the boot image that loads when the firewall is rebooted. If I remove my existing Cisco and replace it with the new Cisco, the Hyper-V host servers lose their network connection, which of course means the VM's lose theirs too. The one physical Dell box that is not a Hyper-V host works just fine with either firewall! But not the Hyper-V boxes.... As I said, my google-fu is not working too well in this instance. Most hits talk about intermittent/random loss of connectivity (which I'm NOT seeing) and suggest that the possible answer is to use the following registry hack to disable TCP Offloading on the VM's: Key: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters Value(DWORD): DisableTaskOffload = 1 Now the catch-22 for me? I work for a university law enforcement agency which is 24x7x365 so I obviously cannot be blowing up internet access willy-nilly as I try different possible solutions... So... I tried clearing the arp cache on the hyper-v hosts to no effect. I've not tried anything else yet other than to reinstall the existing firewall so that my department (and my officers in the field can use their in-car KDT's) is back up. If networking with my existing ASA 5505 is fine, why are my hyper-v boxes dropping the connection when I plug in the new ASA? What the heck am I missing? TIA Gordon
