Skip to main content

Failure of vShield Edge NAT/VPN Traffic Post-5.1 Upgrade

UPDATE: Turns out this is a known issue during the 1.5 > 5.1 VSM upgrade and a fix should be released in an upcoming patch.

That's about the shortest title I could think of to be descriptive of this issue. TLDR is that NAT rules on vShield Edge appliances appear to be causing unexpected behavior on VPN traffic after a vCloud upgrade from 1.5 to 5.1.
Background: We recently upgraded from 1.5 to 5.1. For most of our vDCs, we simply have a single vSE/Routed network that connects a private subnet to a "WAN" network and pulls a public IP from a pool. We forward (NAT) and allow (firewall) selected ports (e.g. 3389 for RDP) to virtual machines. Most of these networks also have a site-to-site VPN tunnel with a physical firewall across the internet. After the upgrade, we went and converted our rules to match on original IP and then enabled "multiple interfaces" - effectively taking them out of compatibility mode. Everything looked good (even for the vSE devices still in compatibility mode)
Issue: We first noticed this when a client reported that they could not access a virtual machine via RDP using it's internal (VSE protected) IP across a VPN tunnel, but could access the VM via RDP using it's public hostname/IP address. We allow all traffic across the VPN (firewall has an any:any rule for VPN traffic). When we logged in to troubleshoot (simply thinking the VPN was down), we found that we could connect to any port on the remote VM across the VPN tunnel except 3389. I could ping from the local subnet to the troubled VM on the vApp network with no problem. I could connect to other ports that were open on the remote VM with no problem. I could not connect to 3389 across the VPN.
We thought it might be isolated, but found the issue on every VSE we have: If there existed a DNAT rule to translate inbound traffic for a particular port, that port would be unresponsive when traffic traversed the VPN tunnel destined for the target of the DNAT rule.

While vCloud Director doesn't show anything strange in the firewall section of vSE configuration, if you log in to vShield Manager and look at the firewall rules there, a "Deny" rule with the private/internal/translated IP is added for any NAT rule that exists:


This, I'm assuming, is for security reasons during the upgrade but it does not show up in vCloud Director (thus our confusion). After taking our appliances out of compatibility mode post-upgrade, the rules were still there.

Solution:  After the vSE is out of compatibility mode (see pg. 49 of the vCD 5.1 Install Guide), re-apply the service configuration (Right-Click vShield Edge Appliance in vCloud Director and select "Re-Apply Service Configuration"). You can also re-deploy the appliance or add an arbitrary rule to the firewall list - both appear to have the same effect.
Labels:

Comments

  1. Muhammad AmirApril 2, 2013 at 1:50 AM

    Everything looked good (even for the anonymous vSE devices still in compatibility mode)

    ReplyDelete
  2. Adiba AlamNovember 9, 2016 at 7:02 AM

    VPN is offered to remote workplaces and individual clients with the goal that they can get to the system of the association in a successful way.buy vpn online

    ReplyDelete
  3. historypakJanuary 13, 2017 at 7:02 AM

    Great Information sharing .. I am very happy to read this article .. thanks for giving us go through info.Fantastic nice. I appreciate this post. private internet access review

    ReplyDelete
  4. alex markJuly 2, 2017 at 4:52 AM

    The tips said in this article ought to have the capacity to enable you to pick the best VPN supplier. It is perfect to have a rundown of a couple of VPN suppliers. To pick the best specialist organization, you have to consider every one of the tips specified above while evaluating the shortlisted specialist organizations.VPN service

    ReplyDelete
  5. mr khanAugust 23, 2017 at 7:18 AM

    While free VPN services are good, the amount of security that they offer is questionable and you are only provided with a small list of servers to choose from. Moreover, the features of the VPN service are also limited.utorrent

    ReplyDelete
  6. Adiba AlamOctober 23, 2017 at 3:16 AM

    What is VPN? VPN is a shortened form for virtual private system. It can be characterized as the strategy that is generally connected to add to the protection and the security into people in general and private systems, the web and Wi-Fi hotspots. read

    ReplyDelete
  7. JenniNovember 18, 2017 at 7:27 AM

    How effective the VPN server is will significantly affect the speed.india vpn proxy

    ReplyDelete
  8. MSHABBERDecember 8, 2017 at 11:06 PM

    I appreciated your work very thanks online
    Thanks for sharing nice information with us. i like your post and all you share with us is uptodate and quite informative, i would like to bookmark the page so i can come here again to read you, as you have done a wonderful job. online

    ReplyDelete
  9. Richard C. LambertJanuary 13, 2018 at 5:31 AM

    This is very educational content and written well for a change. It's nice to see that some people still understand how to write a quality post! convert psd to wordpress theme

    ReplyDelete
  10. SmithMay 26, 2018 at 3:16 AM

    This comment has been removed by the author.

    ReplyDelete
  11. ArianaJune 5, 2018 at 10:59 AM

    Also,https://novavpn.com/blog/yify/ running your VPN straightforwardly on a quicker CPU PC brings down the association time and consequently making your VPN speed to be speedier, than running the VPN on a switch.

    ReplyDelete
  12. James harperSeptember 24, 2018 at 7:28 AM

    Persons appreciate shopping for amazing, appealing, fascinating and from time to time attractive aromas for them selves and pertaining to others. This can be executed conveniently along with inexpensively in an on-line perfume shop. diebestenvpn

    ReplyDelete
  13. Ella lilySeptember 27, 2018 at 1:54 PM

    Waow this is quite pleasant article, my sister love to read such type of post, I am going to tell her and bookmarking this webpage. Thanks https://prywatnoscwsieci.pl

    ReplyDelete
  14. mona martinOctober 8, 2018 at 4:11 PM

    Thank you again for all the knowledge you distribute,Good post. I was very interested in the article, it's quite inspiring I should admit. I like visiting you site since I always come across interesting articles like this one.Great Job, I greatly appreciate that.Do Keep sharing! Regards, diadiktiokaiasfalia

    ReplyDelete
  15. Jims lindaOctober 13, 2018 at 7:51 AM

    So luck to come across your excellent blog. Your blog brings me a great deal of fun.. Good luck with the site. lemigliorivpn

    ReplyDelete
  16. royNovember 13, 2018 at 2:58 AM

    Corporates utilize it to impart in secrecy video, voice or information over an open system.https://www.router-reset.com/does-avast-vpn-keep-logs/

    ReplyDelete
  17. Mo.Groups CompanyNovember 15, 2018 at 4:40 AM

    For other helpful tips & tricks, or to submit your own question to be answered, visit my site at, http://whatsmyrouterip.com/.

    ReplyDelete
  18. Ethan RyanNovember 25, 2018 at 6:02 PM

    I've been contemplating composing an extremely tantamount post in the course of the last couple of weeks, I'll most likely keep it straightforward and connection to this rather if thats cool. Much obliged vpnveteran.com

    ReplyDelete
  19. Baba CharsiJanuary 7, 2019 at 11:24 AM

    This blog has communicated its importance in a short yet clear way, so compact.
    best VPN service

    ReplyDelete
  20. MarryJanuary 29, 2019 at 12:35 PM

    It is likewise a decent choice when workers are dissipated everywhere throughout the globe. VPN for privacy

    ReplyDelete
  21. Emmalin 2February 13, 2019 at 10:44 AM

    This comment has been removed by the author.

    ReplyDelete
  22. Emma johnFebruary 22, 2019 at 4:12 PM

    Wow, this is really interesting reading. I am glad I found this and got to read it. Great job on this content. I like it. https://allertaprivacy.it

    ReplyDelete
  23. Michael SmithApril 26, 2019 at 6:10 PM

    I recently came across your article and have been reading along. I want to express my admiration of your writing skill and ability to make readers read from the beginning to the end. I would like to read newer posts and to share my thoughts with you. deze website

    ReplyDelete
  24. JamesSeptember 30, 2019 at 4:04 AM

    The primary server is divided to work as free VPS. This gives you sole responsibility for space and gives you a limitation free server condition. This article examines four manners by which VPS improves your presentation and upgrades your business. cheap

    ReplyDelete

Post a Comment

Popular posts from this blog

Outlook Credential Prompt When Opening Exchange 2013 Public Folder

After completing an Exchange 2007 > 2013 migration recently, I was left with one issue that was preventing us from stamping the project as a roaring success and moving on:

Outlook 2013 users were sometimes receiving a single pop-up prompt for credentials whenever they opened the Public Folder (we have only one). One. Single. Prompt.

Google was frustratingly unhelpful because searching for "outlook prompts for username and password when opening public folders" or something similar just resulted in a lot of folks who were always getting a pop-up that wouldn't go away. It was usually caused by an authentication failure of some sort.

However, we were in a different boat - Users got the prompt once when they first launchedOutlook and opened their public folders, but after entering it they could continue - authentication worked. Next time they logged in to their PC, it would happen again. Not a show stopper, but it definitely generated its share of support calls.
9 comments
Read more

Repairing Mailbox Corruption in Exchange 2010

I recently got through recovering an SBS 2011 server after Active Directory face-planted in the middle of a workday. When I say recover, I mean I repeated the entire migration, using a cleaned up secondary DC - it was a fun weekend (expect another post about that experience). Although I thought we were in the clear, I got a call from the client about 24 hours after we had verified everything was working. He indicated that his iPhone had suddenly stopped receiving mail in the inbox (calendar, contacts, sent items were still fine) and throws up an error after spinning in circles for a few minutes that it "cannot connect to mail server".
12 comments
Read more

SCEP Policy Update Troubleshooting

Because I'm a glutton for punishment, I recently started rolling out System Center Configuration Manager 2012 R2 SP1 and System Center Endpoint Protection across our VDI environment. There are always some considerations to be made in a pooled desktop / gold image type environment when loading software that uniquely identifies devices, but lucky for me SCCM/SCEP handled this just fine without any tweaking. However, there were some nuances to how SCEP policies are applied that caused some serious hair-pulling before I spotted the issues.

2 comments
Read more