none
2008 Server R2 Virtual Server in VMWare ESXi environment Lost Internet Connection

    Question

  • Hi All,

    I've not found a direct explaination / solution for the following problem and I hope someone can Help

    We're running 8 Virtual Servers within a VMWare ESXi 5.0 environment.

    6 of the servers are running 2008 Server R2, one runs XP Pro and the last, 2003 Server.  The latter 2 machines will be retired once migrated leaving only 6 2008 virtual servers. All was running very well until two of the servers suddenly lost Internet connectivity.  One of the two affected machines is the PDC.  Network connectivity still exists for the affected machines but it's critical to get them reconnected to the internet.

    Here is what I've tried::

    1. Power down all virtual servers and cold shutdown of Physical machine and then restart

    2. Inspect, test and verify all settings in the SonicWall firewall appliance (with assistance from SonicWall Engineers)

    3. Power down all servers and restart in different sequences - ie. Start PDC first, followed by BDC etc.

    4. Cold power cycle the switch and the firewall appliance

    5. On affected servers, reset the IP configuration using the: netsh int ip reset c:\resetlog.txt

    6. Turn off all firewall settings in the servers' Control Panel

    I've seen some discussion about deleting NIC inside VMWare but that doesn't seem logical and want to avoid that unless there is no other alternative - I don't want to creat a bigger problem.

    The physical machine is a HP Proliant DL380 G7 with 40GB ram, sufficient storage etc., the NIC is a Broadcom NetExtreme II BCM5709 1000BaseT device

    I would very much appreciate any input on this

    Thanks!

    Rob


    Thursday, August 22, 2013 6:19 PM

Answers

  • Greetings Dave,

    Many and sincere thanks for your interest to help, interestingly enough, we believe we've solved the problem.

    After enlisting the help of a friend with a lot of experience using the SonicWall products, a long and critical second look at the firewall settings on the SonicWall NSA2000 revealed entries in the NAT rules and Access rules that were blocking access to the PDC.  This stood to reason as we'd been trying to implement VPN connectivity using a method prescribed by the good guys at SonicWall - not long before we noticed the Internet access failure.  It turns out that somewhere in the config process, a couple very small misconfigs were made and this resulted in the PDC losing access to anything outside the LAN environment.

    Firewall appliances are essential but I would advise anyone reading this that configuring a firewall appliance should be done with great caution and one should make use of all available tools for backing up the appliance PRIOR to making changes so if you encounter a problem, you can at least get back to a pre config stable state.

    To verify we were in the right direction, prior to cleaning up the firewall configs, we had to take a bit of a risk by changing the IP addresses on the affected machines (would not recommend this actually) but it did confirm that a different IP address caused access to the Internet to return immediately.

    It took some time but we cleaned everything out of the firewall appliance settings that we could challenge and only managed to temporarily break one connectivity (for Webmail) which we identified in post fix testing and then quickly restored.

    The learning is that we should have (as we normally do) backed up the SonicWall settings PRIOR to any changes -silly mistake actually.

    Finally, NEVER leave behind "guess" settings whilst trying to implement a communication functionality in a firewall - that is, any setting that is entered but doesn't ultimately result the desired change on the network - those fragment configs are problems that will likely cause problems for you later.

    - Lesson learned...

    Thanks very much !

    Rob

    Sunday, August 25, 2013 7:07 AM

All replies

  • Can you post unedited ipconfig /all of DNS/DC and a problem client?

     

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Friday, August 23, 2013 1:18 AM
  • Greetings Dave,

    Many and sincere thanks for your interest to help, interestingly enough, we believe we've solved the problem.

    After enlisting the help of a friend with a lot of experience using the SonicWall products, a long and critical second look at the firewall settings on the SonicWall NSA2000 revealed entries in the NAT rules and Access rules that were blocking access to the PDC.  This stood to reason as we'd been trying to implement VPN connectivity using a method prescribed by the good guys at SonicWall - not long before we noticed the Internet access failure.  It turns out that somewhere in the config process, a couple very small misconfigs were made and this resulted in the PDC losing access to anything outside the LAN environment.

    Firewall appliances are essential but I would advise anyone reading this that configuring a firewall appliance should be done with great caution and one should make use of all available tools for backing up the appliance PRIOR to making changes so if you encounter a problem, you can at least get back to a pre config stable state.

    To verify we were in the right direction, prior to cleaning up the firewall configs, we had to take a bit of a risk by changing the IP addresses on the affected machines (would not recommend this actually) but it did confirm that a different IP address caused access to the Internet to return immediately.

    It took some time but we cleaned everything out of the firewall appliance settings that we could challenge and only managed to temporarily break one connectivity (for Webmail) which we identified in post fix testing and then quickly restored.

    The learning is that we should have (as we normally do) backed up the SonicWall settings PRIOR to any changes -silly mistake actually.

    Finally, NEVER leave behind "guess" settings whilst trying to implement a communication functionality in a firewall - that is, any setting that is entered but doesn't ultimately result the desired change on the network - those fragment configs are problems that will likely cause problems for you later.

    - Lesson learned...

    Thanks very much !

    Rob

    Sunday, August 25, 2013 7:07 AM
  • Hi,

    I’m glad to hear that you have resolved the issue and thanks for sharing your solution in the forum. This will help others who face the same scenario resolve the issue quickly. If there is anything else I can do for you, please do not hesitate to let me know. I will be very happy to help.

    Best regards,

    Justin Gu

    Sunday, August 25, 2013 9:23 AM
    Moderator