network | Electric Monk

Tag Archive for network

Network Partition on vSAN Cluster

July 16, 2021 vSAN No comments

The problem

We had an interesting problem with a 6 host vSAN cluster where 1 host seemed to be in a network partition according to Skyline Health. I thought it would be useful to document our troubleshooting steps as it can come in useful. Our problem wasn’t one of the usual network mis-configurations but in order to reach that conclusion we needed to perform some usual tests

We had removed this host from the vSAN cluster, the HA cluster and removed from the inventory and rebuilt it, then tried adding it back into the vSAN cluster with the other 5 hosts. It let us add the host to the current vSAN Sub-cluster UUID but then partitioned itself from the other 5 hosts.

Usual restart of hostd, vpxa, clomd and vsanmgmtd did not help.

Test 1 – Check each host’s vSAN details

Running the command below will tell you a lot of information on the problem host, in our case techlabesxi1

esxcli vsan cluster get

Enabled: True
Current Local Time: 2021-07-16T14:49:44Z
Local Node UUID: 70ed98a3-56b4-4g90-607c4cc0e809
Local Node Type: NORMAL
Local Node State: MASTER
Local Node Health State: HEALTHY
Sub-Cluster Master UUID: 70ed45ac-bcb1-c165-98404b745103
Sub-Cluster Backup UUID: 70av34ab-cd31-dc45-8734b32d104
Sub-Cluster UUID: 527645bc-789d-745e-577a68ba6d27
Sub-Cluster Member Entry Revision: 1
Sub-Cluster Member Count: 1
Sub-Cluster Member UUIDs: 98ab45c4-9640-8ed0-1034-503b4d875604
Sub-Cluster Member Hostnames: techlabesx01
Unicast Mode Enabled: true
Maintenance Mode State: OFF
Config Generation: b3289723-3bed-4df5-b34f-a5ed43b4542b43 2021-07-13T12:57:06.153

Straightaway we can see it is partitioned as the Sub-Cluster Member UUIDs should have the other 5 hosts’ UUID in and the Sub-Cluster Member Hostnames should have techlabesxi2, techlabesxi3, techlabesxi4, techlabesxi5, techlabesxi6. It has also made itself a MASTER where as we already have a master with the other partitioned vSAN cluster and there can’t be two masters in a cluster.

Master role:

A cluster should have only one host with the Master role. More than a single host with the Master role indicates a problem
The host with the Master role receives all CMMDS updates from all hosts in the cluster

Backup role:

The host with the Backup role assumes the Master role if the current Master fails
Normally, only one host has the Backup role

Agent role:

Hosts with the Agent role are members of the cluster
Hosts with the Agent role can assume the Backup role or the Master role as circumstances change
In clusters of four or more hosts, more than one host has the Agent role

Test 2 – Can each host ping the other one?

A lot of problems can be caused by the misconfiguration of the vsan vmkernel and/or other vmkernel ports however, this was not our issue. It is worth double checking everything though. IP addresses across the specific vmkernel ports must be in the same subnet.

Get the networking details from each host by using the below command. This will give you the full vmkernel networking details including the IP address, Subnet Mask, Gateway and Broadcast

esxcli network ip interface ipv4 address list

It may be necessary to test VMkernel network connectivity between ESXi hosts in your environment. From the problem host, we tried pinging the other hosts management network.

vmkping -I vmkX x.x.x.x

Where x.x.x.x is the hostname or IP address of the server that you want to ping and vmkX is the vmkernel interface to ping out of.

This was all successful

Test 3 – Check the unicast agent list and check the NodeUUIDs on each host

To get a check on what each host’s nodeUUID is, you can run

esxcli vsan cluster unicastagent list

Conclusion

We think what happened was that the non partitioned hosts had a reference to an old UUID for techlabesx01 due to us rebuilding the host. The host was removed from the vSAN cluster and the HA cluster and completely rebuilt. However, when we removed this host originally, the other hosts did not seem to update themselves once it had gone. So when we tried to add it back in, the other hosts didn’t recognise it.

The Fix

What we had to do was disable ClustermemberListUpdates on each host

esxcfg-advcfg -s 1 /VSAN/IgnoreClustermemberListupdates

Then remove the old unicastagent information from each host for techlabesx01

esxcli vsan cluster unicastagent remove -a 192.168.1.10

Then add the new unicastagent details to each host. You have seen where to get the host UUID in Step 1

esxcli vsan cluster unicastagent add -t node -u 70ed98a3-56b4-4g90-607c4cc0e809 -U true -a 192.168.1.10 -p 12321

This resolved the issue

Identify configuration files related to network security

March 4, 2013 Objective 7 Secure a vSphere environment No comments

ESXi Security

By introducing a layer of abstraction between the physical hardware and virtualized systems running IT services, virtualization technology provides a powerful means to deliver cost savings via server consolidation as well as increased operational efficiency and flexibility. However, the added functionality introduces a virtualization layer that itself becomes a potential avenue of attack for the virtual services being hosted. Because a single host system can house multiple virtual machines, the security of that host becomes even more important. Because it is based on a light‐weight kernel optimized for virtualization, VMware ESX and VMware ESXi are less susceptible to viruses and other problems that affect general‐purpose operating systems. However, ESX/ESXi is not impervious to attack, and you should take proper measures to harden it, as well as the VMware VirtualCenter management server, against malicious activity or unintended damage

The log files provide an important tool for diagnosing breaches of security as well as other system issues. They also provide audit information. In addition to storing information in files on the local host, you can also send this information to a remote syslog server

As with ESX, ESXi maintains its configuration state in a set of configuration files. However, on ESXi these files can be accessed only using the remote file access API, and there are far fewer files involved. These files normally are not modified directly. Instead, their contents normally change indirectly because of some action invoked on the host. However, the file access API does allow for direct modification of these files, and some modifications might be warranted in special circumstances. Therefore, you should monitor all of these files for integrity and unauthorized tampering, either by periodically downloading them and tracking their contents or by using a commercial tool designed to do this.

Tune ESXi VM Network Configuration

January 30, 2013 Objective 3 Tuning and Optimisation No comments

Tuning Configuration

Use the VMXNet3 adapter and if it is not supported use the VMXNET/VMXNET2 adapter

Use a network adapter that supports TCP Checksum, TSO and Jumbo Frames multiqueue support (also known as Receive Side Scaling in Windows), IPv6 offloads, and MSI/MSI-X interrupt delivery
Use the fastest ethernet you can. 10GB preferable
Ensure the speed and duplex settings on the network adapters is correct. For 10/100 nics, set the speed and duplex. Make sure the duplex is set to full duplex
For NICs, Gigabit Ethernet or higher set the speed and duplex to auto-negotiate
DirectPath I/O (DPIO) provides a means of bypassing the vmkernel, giving a VM direct access to hardware devices by leveraging Intel VT-D and AMD-V hardware support. Specific to networking, DPIO allows a VM to connect directly to the hosts physical network adapter without the overhead associated with emulation or paravirtualization. The bandwidth increases associated with DPIO are nominal but the savings on CPU cycles can be substantial for busy workloads. There are quite a few restrictions when utilizing DPIO. For example, unless using Cisco UCS hardware, DPIO is not compatible with hot-add, FT, HA, DRS or snapshots.
Use NIC Teaming where possible. VMware’s proprietry network teaming or Etherchannel
Virtual Machine Communications Interface (VMCI) is a virtual device that promotes enhanced communication between a virtual machine and the host on which it resides, and between VMs running on the same host. VMCI provides a high-speed alternative to standard TCP/IP sockets. The VMCI SDK enables engineers to develop applications which take advantage of the VMCI infrastructure. With VMCI, VM application traffic (of VMs on the same host) bypasses the network layer, reducing communication overhead. With VMCI, it’s not uncommon for inter-VM traffic to exceed 10 GB/s

Search

Search for:
Calendar

November 2024

M T W T F S S

1 2 3

4 5 6 7 8 9 10

11 12 13 14 15 16 17

18 19 20 21 22 23 24

25 26 27 28 29 30

« Jun
Social Media and RSS
vExpert
Recent Posts
- Windows Virtualization Based Security June 8, 2024
- SNMP explained January 29, 2023
- Using tcpdump December 14, 2022
- Vdbench August 7, 2022
- What is SSPI – Security Support Provider Interface? February 12, 2022
Archives
- June 2024 (1)
- January 2023 (1)
- December 2022 (1)
- August 2022 (1)
- February 2022 (2)
- October 2021 (1)
- July 2021 (1)
- May 2021 (1)
- March 2021 (1)
- February 2021 (1)
- January 2021 (1)
- December 2020 (1)
- November 2020 (2)
- October 2020 (1)
- August 2020 (1)
- July 2020 (2)
- June 2020 (2)
- April 2020 (1)
- March 2020 (2)
- December 2019 (1)
- November 2019 (2)
- August 2019 (1)
- July 2019 (1)
- May 2019 (1)
- April 2019 (1)
- February 2019 (1)
- January 2019 (2)
- December 2018 (1)
- November 2018 (1)
- October 2018 (1)
- August 2018 (1)
- June 2018 (1)
- April 2018 (1)
- March 2018 (1)
- January 2018 (1)
- November 2017 (1)
- October 2017 (1)
- September 2017 (1)
- August 2017 (1)
- June 2017 (1)
- May 2017 (1)
- April 2017 (2)
- March 2017 (1)
- February 2017 (1)
- January 2017 (1)
- December 2016 (1)
- November 2016 (2)
- September 2016 (1)
- August 2016 (2)
- July 2016 (2)
- May 2016 (2)
- February 2016 (3)
- January 2016 (3)
- December 2015 (3)
- November 2015 (1)
- October 2015 (2)
- September 2015 (2)
- August 2015 (2)
- July 2015 (2)
- June 2015 (3)
- May 2015 (2)
- April 2015 (1)
- March 2015 (2)
- February 2015 (2)
- January 2015 (2)
- December 2014 (3)
- November 2014 (2)
- October 2014 (1)
- September 2014 (2)
- August 2014 (2)
- July 2014 (2)
- June 2014 (3)
- May 2014 (1)
- April 2014 (1)
- March 2014 (6)
- February 2014 (2)
- January 2014 (2)
- December 2013 (1)
- November 2013 (3)
- October 2013 (5)
- September 2013 (1)
- August 2013 (2)
- July 2013 (6)
- June 2013 (4)
- May 2013 (5)
- April 2013 (4)
- March 2013 (28)
- February 2013 (53)
- January 2013 (63)
- December 2012 (13)
- November 2012 (11)
- October 2012 (13)
- September 2012 (6)
- August 2012 (16)
- July 2012 (22)
- June 2012 (16)
- May 2012 (19)
- April 2012 (10)
- March 2012 (13)
- February 2012 (32)
- January 2012 (25)
Categories
- Benchmarking (3)
- Certification (164)
  - Microsoft (1)
  - VCAP5 DCA (155)
    - Objective 1 Storage (33)
    - Objective 2 Networking (21)
    - Objective 3 Tuning and Optimisation (26)
    - Objective 4 Business Continuity (11)
    - Objective 5 Operational Maintenance (15)
    - Objective 6 Advanced Troubleshooting (28)
    - Objective 7 Secure a vSphere environment (15)
    - Objective 8 Perform Scripting and Automation (8)
    - Objective 9 Advanced vSphere Installation (8)
  - VCP5-DCV (1)
- Cisco (1)
- Command Line (8)
  - PowerCLI (3)
  - Robocopy (1)
  - vCLI (1)
- Flex 10 (1)
- FreeNas (2)
- IMM/RSA (1)
- IPv6 (2)
- IT (38)
- Kubernetes (1)
- McAfee Products (1)
- microsoft (89)
  - Active Directory (7)
  - ActiveSync (1)
  - App-V (2)
  - Auditing (1)
  - BgInfo (1)
  - CA (1)
  - Clustering (6)
    - Microsoft Failover Clustering (2)
    - SQL Failover Clustering (1)
  - DFS (5)
  - DHCP (1)
  - Disk Quotas (1)
  - DNS (1)
  - Excel (1)
  - Forest Trusts (1)
  - Group Policy (3)
  - Hyper V (1)
  - Kerberos (1)
  - NAP (1)
  - Networking (2)
  - NLB (2)
  - NTFS (1)
  - Performance (3)
  - PowerShell (5)
  - Process Explorer (1)
  - Registry Mods (1)
  - RemoteApp (1)
  - Roaming Profiles (3)
  - ROUTE Command (1)
  - Shrinking Drives (1)
  - SQL Server (6)
  - System Volume Information (1)
  - Technet Labs (1)
  - Terminal Services (7)
  - Time Synchronisation (1)
  - UAC (1)
  - Upgrading Windows Editions (1)
  - WFAS (1)
  - Windows Firewall (1)
  - Windows Server 2012 (9)
  - XP Mode (1)
- Mobile Telephony (1)
- Networking (3)
- Oracle RAC (1)
- Personal (8)
- Security (1)
- SNMP (1)
- SRM (1)
- Storage (6)
- Technology (2)
- VdBench (1)
- Viso (1)
- VMware (206)
  - Active Directory Integration (1)
  - AD LDS (1)
  - Antivirus (1)
  - AutoDeploy (4)
  - Autolab (1)
  - Blogs (1)
  - Certificates (1)
  - Cloning (2)
  - Cluster Admission Control (1)
  - Clustering (3)
  - Compatibility Guide (1)
  - Database (6)
  - Documentation Center (4)
  - DRS (1)
  - ESXTOP + RESXTOP (4)
  - EVC (1)
  - F5 Load Balancer (1)
  - Guest O/S Customization (1)
  - HA (7)
  - Host profiles 6.5 (2)
  - iPad Knowledge App (1)
  - Labs (1)
  - Licensing (2)
  - Logs (3)
  - Monitoring (15)
  - NetFlow (1)
  - Networking (10)
  - NLB (1)
  - PowerCLI (4)
  - PSA and NMP (1)
  - RDM (1)
  - Resource Pools (1)
  - SMP (2)
  - Snapshots (1)
  - SSO (2)
  - Storage (32)
  - Time Syncing (1)
  - TPS (1)
  - UMDS (2)
  - Upgrading (3)
  - USB Devices (1)
  - VAAI (1)
  - vApps (1)
  - VASA (1)
  - vCenter (7)
  - vCheck (1)
  - vCLI (1)
  - VCSA 6.5 (2)
  - vMA (1)
  - vMotion (2)
  - VMware Labs (1)
  - VMware Tools (1)
  - VMware View (1)
  - vRA (13)
    - F5 Load Balancer with vRA (1)
    - vRA Certificates (1)
    - vRA Distributed Deployment v6.2.3 (3)
      - Part 1 (1)
      - Part 2 (1)
      - Part 3 (1)
    - vRA Small Deployment v6.2.3 (7)
      - Part 1 (1)
      - Part 2 (1)
      - Part 3 (1)
      - Part 4 (1)
      - Part 5 (1)
      - Part 6 (1)
      - Part 7 (1)
    - vRA7 (1)
      - vRA7 Minimal Deployment (1)
  - vRealize Log Insight (3)
    - Management Packs (1)
    - vCO Monitoring (1)
  - vROps (1)
    - Replacing Certificates (1)
  - VSA (1)
  - vSAN (8)
    - HCIBench (3)
    - vSAN Stretched Cluster (1)
  - vSphere 6 (10)
    - Decommissioning vCenter and PSC (1)
    - HTML5 Web Client (1)
    - JXplorer (1)
    - Platform Services Controller (5)
      - Enhanced Linked Mode (1)
      - High Availability (1)
      - Multisite (3)
    - PSC Replication (1)
    - Registering Orchestrator in vSphere (1)
  - vSphere Web Client (1)
- Web (1)
Tags

2012 ad AutoDeploy Certificate certification cluster Clustering DB DFS DRS esxi firewall gpo HA I/O iSCSI Labs logs LUN memory Microsoft NIC Performance powercli powershell PSA PSC RDM RDS sql storage Storage vMotion troubleshooting tuning upgrade vCenter vDS vm VMDK VMware vRA vro VSAN vsphere6 vSS
Fatcow Webhosting

Tag Archive for network

Network Partition on vSAN Cluster

Identify configuration files related to network security

Tune ESXi VM Network Configuration

Electric Monk

Don't think about what can happen in a month. Don't think what can happen in a year. Just focus on the 24 hours in front of you and do what you can to get closer to where you want to be :-)

Search

Calendar

Social Media and RSS

vExpert

Recent Posts

Archives

Categories

Tags

Fatcow Webhosting