Site to Site VPN Tunnel traffic flow problems

Firewalls being used – Sonicwall 3500 & Cisco 506e

Several months ago we relocated and it was then necessary to setup a Site to Site VPN tunnel with another network. (In this instance the other network was not directly managed by us)

Upon the creation of the tunnel and after successful traffic tests all looked well. However after several hours or less in some cases traffic stopped flowing yet both firewalls reported the tunnel as “up”. We reviewed the first and second phase settings and tweaked the Sonicwall VPN settings to hopefully remedy.

Options on the Sonicwall such as “Enable IKE Dead Peer Detection” & “Enable Keep Alive” were enabled and disabled to try and find a fix for the VPN traffic flow problem.

What was interesting during the troubleshooting process, we found that if we manually restarted the VPN tunnel it would resume with no issue, but obviously this was hardly a practical fix for our issues.

Liaising with the other site we also experimented with Phase 1 and Phase 2 Life Time settings with no success.

It was then we had a small eureka moment, we decided to check the time servers each firewall referenced. It transpired the Time Server being referenced by the Cisco Firewall was out of sync (it was an internally hosted NTS)

After the offending NTS had been re-sync’d we decided to completely recreate the VPN tunnel double checking the settings as we went along. The VPN Tunnel came up with no issues and has been stable ever since.

I would add if we encounter a problem like this again I would simply point both Firewalls to the same NTS but as one of the firewalls in this case was managed by a third party this was not an option.

vSphere HA agent for host [Host’s Name] has an error in [Cluster’s Name] in [Datacenter’s Name]: vSphere HA agent cannot be correctly installed or configured

Here’s a lesson in checking the basics! I added new ESXi 5 host to a cluster today and spent a good couple of hours troubleshooting the error:

vSphere HA agent for host [Host’s Name] has an error in [Cluster’s Name] in [Datacenter’s Name]: vSphere HA agent cannot be correctly installed or configured

After a few basic checks, migrating the host in and out of the cluster and rebooting, I headed off to google and began troubleshooting.

Cannot install the vSphere HA (FDM) agent on an ESXi host – this article suggests that the host is in lockdown mode. This is unlikely since we don’t use lockdown mode, but I checked anyway:

Get-vmhost | select Name,@{N="LockDown";E={$_.Extensiondata.Config.adminDisabled}} | ft -auto Name,LockDown

This returned false – no lockdown.

To exit lockdown mode, you can use:

(get-vmhost | get-view).ExitLockdownMode()

I spent a good amount of time going through the list on Troubleshooting VMware High Availability (HA) in vSphere which isn’t entirely ESXi relevant but has some good pointers nonetheless.

I finally got to Reconfiguring HA (FDM) on a cluster fails with the error: Operation timed out, with the following gem of info:

 This issue occurs if the vSphere High Availability Agent service on the ESXi host is stopped.    

*Facepalm* – I checked the services and set the service to start and stop automatically. HA is now happily configured.

No matter how much you know, you gotta check the basics!


vMA 5: Cannot initialize property ‘ vami.DNS0.vSphere_Management_Assistant_(vMA)’

Just a quick post regarding the vSphere Management Assistant 5 – when deploying the vMA with a static IP address, you might see the following error:

vMA Error

Power On virtual machine <VM name> Cannot initialize property ‘ vami.DNS0.vSphere_Man- agement_Assistant_(vMA)’ , since network ‘<network name>’ has no associated IP pool configuration.

Edit the vMA virtual machine’s properties and go to Options, vApp Options and select disable. Acknowledge the warning and click OK to close the VM properties.

Disable vApp Options

The vMA booted fine after that – the solution comes from this vmware communities post.


VMware ESXi Maximum paths includes local storage

If you are close to the VMware ESXi storage path limit of 1024 paths per host, you may want to consider the following: local storage, including CD-ROMs, are counted in your total paths.

Simply because of the size and age of the environment, some of our production clusters have now reached the limit (including local paths) – you see this message in the logs

[2012-08-20 01:48:52.256 77C3DB90 info ‘ha-eventmgr’] Event 2003 : The maximum number of supported paths of 1024 has been reached. Path vmhba3:C0:T4:L0 could not be added.

[Read more…]