Skip to main content

networking - Secondary IPs on DMZ machines not working




I am moving some virtual machines from my DMZ in a bladecenter over to my new cisco UCS. We are using Hyper-V, and are running Server 2012 on the old bladecenter, and Server 2012r2 on the new UCS.



We have a Cisco ASA 5515 firewall, asa version 9.1(4), that is our gateway for both LAN and DMZ traffic.



In the old bladecenter, we have a virtual machine that exists in the DMZ, with one network interface configured. On this network interface, it has a primary IP, let's say 172.10.1.10, and some additional IPs configured, 172.10.1.11, 172.10.1.12.



All of these work, and route normally, no issues.



We migrated a machine from the bladecenter to the UCS, and have trouble now with it's secondary IPs on the DMZ.




So this machine in the UCS exists in the DMZ, has one network interface configured with a primary IP, let's say 172.10.1.15, and secondary IPs 172.10.1.16, 172.10.1.17.



I can ping the primary IP (.15) from anywhere on the network. However I cannot ping (or connect in any way) to the secondary IPs (.16, .17) from anywhere except other machines in the UCS environment.



Important note:
I have a virtual machine on the UCS environment that is on my LAN. It has primary and secondary IPs that all work fine. For instance, it's primary is 192.168.1.20, and it has secondary of 192.168.1.21 and 192.168.1.22. I can hit .21 and .22 from everywhere.



The problem seems to only be with the DMZ secondary IPs in the UCS environment.




I do not think that it is a Windows/HyperV problem.



No configuration changes have been made to the ASA.



The UCS vendor is certain that it's not a problem in UCS.



Has anyone seen anything like this? Any suggestions are appreciated!



edit: added asa version




edit: if I tracert from a workstation to the primary IP, I get 1 hop, no problem. If I tracert to the secondary IP, it fails to route and I just get stars.



tracert 172.10.1.15
Tracing route to test.domain.com [172.10.1.15] over a maximum of 30 hops:
1  2 ms   1 ms   <1 ms  test.domain.com [172.10.1.15]
Trace complete.

tracert 172.10.1.16
Tracing route to test.domain.com [172.10.1.16] over a maximum of 30 hops:
1  *  *  *  Request timed out.

2  *  *  *  Request timed out.
3  *  *  *  Request timed out.
4  *  *  *  Request timed out.
5  *  *  *  Request timed out.
6  *  *  *  Request timed out.
7  *  *  *  Request timed out.
8  *  *  *  Request timed out.
9  *  *  *  Request timed out.



Edit: I can SSH into my ASA, and if I ping the DMZ machine in the bladecenter, primary and secondary IPs respond just fine. If I ping the DMZ machine in the UCS, primary IP responds, secondary IPs do not.



Edit: from the DMZ machine in the bladecenter, I cannot ping to primary or secondary DMZ IPs on systems in the UCS environment; however, I can ping FROM a DMZ machine in UCS TO a DMZ machine in the bladecenter, on primary and secondary IPs.



Edit: if I tracert from a system in the bladecenter, to a system in the UCS, I get this:



Tracing route to test.domain.com [172.10.1.15]
over a maximum of 30 hops:

  1  Server1 [172.10.1.10]  reports: Destination host unreachable.


Trace complete.


DoubleEdit: to joeqwerty's question about ARP, I do see arp entries in the ASA for at least one set of primary and secondary IPs. Looks like if I swap the primary and secondary IP addresses on a server's NIC, it builds the ARP in the firewall and then it appears to work! But shouldn't the ASA be doing ARP for those secondary IPs anyway??


Answer



Thanks to joeqwerty who helped get me pointed in the right direction.



The problem was twofold, the ASA was not correctly creating ARP entries dynamically. We got that squared away, but then found that we also had a VLAN problem.


Comments

Post a Comment

Popular posts from this blog

linux - iDRAC6 Virtual Media native library cannot be loaded

When attempting to mount Virtual Media on a iDRAC6 IP KVM session I get the following error: I'm using Ubuntu 9.04 and: $ javaws -version Java(TM) Web Start 1.6.0_16 $ uname -a Linux aud22419-linux 2.6.28-15-generic #51-Ubuntu SMP Mon Aug 31 13:39:06 UTC 2009 x86_64 GNU/Linux $ firefox -version Mozilla Firefox 3.0.14, Copyright (c) 1998 - 2009 mozilla.org On Windows + IE it (unsurprisingly) works. I've just gotten off the phone with the Dell tech support and I was told it is known to work on Linux + Firefox, albeit Ubuntu is not supported (by Dell, that is). Has anyone out there managed to mount virtual media in the same scenario?
Post a Comment
Read more

hp proliant - Smart Array P822 with HBA Mode?

We get an HP DL360 G8 with an Smart Array P822 controller. On that controller will come a HP StorageWorks D2700 . Does anybody know, that it is possible to run the Smart Array P822 in HBA mode? I found only information about the P410i, who can run HBA. If this is not supported, what you think about the LSI 9207-8e controller? Will this fit good in that setup? The Hardware we get is used but all original from HP. The StorageWorks has 25 x 900 GB SAS 10K disks. Because the disks are not new I would like to use only 22 for raid6, and the rest for spare (I need to see if the disk count is optimal or not for zfs). It would be nice if I'm not stick to SAS in future. As OS I would like to install debian stretch with zfs 0.71 as file system and software raid. I have see that hp has an page for debian to. I would like to use hba mode because it is recommend, that zfs know at most as possible about the disk, and I'm independent from the raid controller. For us zfs have many benefits,
Post a Comment
Read more

apache 2.2 - Server Potentially Compromised -- c99madshell

So, low and behold, a legacy site we've been hosting for a client had a version of FCKEditor that allowed someone to upload the dreaded c99madshell exploit onto our web host. I'm not a big security buff -- frankly I'm just a dev currently responsible for S/A duties due to a loss of personnel. Accordingly, I'd love any help you server-faulters could provide in assessing the damage from the exploit. To give you a bit of information: The file was uploaded into a directory within the webroot, "/_img/fck_uploads/File/". The Apache user and group are restricted such that they can't log in and don't have permissions outside of the directory from which we serve sites. All the files had 770 permissions (user rwx, group rwx, other none) -- something I wanted to fix but was told to hold off on as it wasn't "high priority" (hopefully this changes that). So it seems the hackers could've easily executed the script. Now I wasn't able
Post a Comment
Read more