Problems with remote ESX host disconnecting from vCentre

aimvicit
aimvicit used Ask the Experts™
on
Hi all,

We have a remote ESX host in a co-lo for DR. As we were unable to implement a bridge between our network and the co-lo (ISP limitation), we have had to implement a solution via Watchguard firewalls that allows both networks to have the same IP range (to avoid re-config issues if we have to bring up a remote VMWare guest), but we have subnets between them and 1:1 NAT in place to translate the IP traffic.

So, our production network is 192.168.11.x. The remote co-lo network is also 192.168.11.x, but to connect to a device over there we connect to a 192.168.20.x address which NATs back to the 192.168.11.x address of the remote device. To connect back to our production network from the co-lo, we have to use a 192.168.19.x address which again NATs back to the 192.168.11.x address on our production network. It's messy, but it works.

The only issue is vCentre. It connects to the remote host fine but times out after a few minutes. Disconnecting and reconnecting works fine, again just for a few minutes before it drops off again. Connecting directly to the host via the VI client is fine, as is an http connection to the host.

This appears to be due to the fact that in connecting to the remote host via vCentre, the remote host is given the IP address of the vCentre that is initiating the connection, which in this case is 192.168.11.227. I suspect the remote host is looking for vCentre on that address, which it won't be able to contact as from that location the vCentre will be on 192.168.19.227.

So, somehow we need to tell the remote ESX host that the vCentre is on another subnet.

Does this sound correct? If so, what is the process to correct the problem?

Many thanks,

David.  

 

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2009

Commented:
You dont have to do bridging, if both sites have internet you can do a site-site vpn and i'm sure your problem will be solved
I understand the DR host is located at co-lo site, but you can still have your own private internet connection rite?
Paul SolovyovskySenior IT Advisor
Top Expert 2008

Commented:
We have this type of situation with some of our customer and the solution may be easier than doing the 1:1 NAT.  I would put the ESX hosts at the DR onto a different subnet (management) and setup a VPN WG site to site VPN.  The VMs can be on a vswitch with the same IP info as at the source and can be managed from VC.  This will avoid any IP conflict issues.

My $.02

Author

Commented:
Thanks for the comments. I should have mentioned that we will be using vReplicator to backup the production guests to the DR site. If we had the the co-lo ESX host on another subnet and the guests on the same subnet as production by using a vswitch, how would we fail over to the guests from the production network? That would fail, wouldn't it?

The reason for the 1:1 NAT was as a temporary measure as Watchguard are releasing firmware that will set up a bridge via the firewalls. Bridging is the recommended network setup for vReplicator. Would love to get it working as is, as we have invested quite a bit of time and effort getting the network working correctly. It's just vCentre that seems to have an issue.

Any thoughts?

Thanks again.
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

Top Expert 2009
Commented:
Yeah you are right, and that is why vmware introduce SRM so that you dont have to go through all the trouble to plan your DR. Even with different subnet SRM is capable remapping/re-iping addreses, not sure how exactly this is done though, but it can change OS IP addresses on failover from between sites on different subnets

Another possible solution is vlan accross site-site vpn, generally carrying layer 2 accros WAN is not recommended, but it is achievable
Hope this you some idea

Good luck!
Paul SolovyovskySenior IT Advisor
Top Expert 2008
Commented:
If you are using vReplicator the solution I provided would work because the connection between the esx hosts would be there even though they're on different subnets.  The vswitches would have the same name as your source and the VMs would be on the same subnet as the source.  The ESX host does not need to be on the same subnet as your VMs.

You would failover the same you would be doing currently or you create a procedure to change IPs and have users route to the new subnet.  Another solution is to failover the resources to the remote site via Terminal Services or Citrix (site failover).

Author

Commented:
Hi all, sorry for the delay, we're going to wait for the Watchguard updated that supports bridging. Vizioncore recommend this and we feel that anything else will be a work-around and not ideal for DR recovery.

Thanks for all the help.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial