Running bridged interfaces inside VMware ESXi

[Patrick M. Hausen]

Hi all,

I'm trying to deploy our "proServer" setup inside a VM that is unfortunately not controlled by us.

Problem is that I can connect to and ping the host (i.e. FreeBSD running in the hypervisor VM),
but network connectivity to a jail using VIMAGE and a bridged interface with iocage is enervatingly
flaky without a clearly visible pattern - at least to me.

The VMware port group has forged transmits, MAC address changes and promiscuous mode in the
guest allowed, of course.

Symtoms are:

* Jail booted - not reachable from the outside
* Iocage console into the jail, ping system at some remote location - works
* While that ping is running, connections from the outside *somewhat* work
* Up to the point where you can SSH into the jail, but then suddenly
  packets are dropped again

The admin of the central (Cisco ASA) firewall at the remote site was
so cooperative as to open my host (VM) and the jail transparently and
disable (so he said) all IDS/IPS/deep-whatever functions for my two
target addresses.

I suspect problems with ARP (all IPv4 over there :-/), but I can only tcpdump
inside my VM, no access to a packet trace on the wire.

We have that very same setup running in VMware in various environments.
Some even maintained by someone else just like in this case.
This is the first one not "just working". VMware multipathing getting in the way?

I think I know my way around these issues quite well, so I'm rather puzzled
now, and I start to think I'm missing something "too obvious". Has anybody
ever seen a problem like this? I'm simply running out of ideas at the moment ...

Thanks,
Patrick
-- 
punkt.de GmbH			Internet - Dienstleistungen - Beratung
Kaiserallee 13a			Tel.: 0721 9109-0 Fax: -100
76133 Karlsruhe			info at punkt.de	http://punkt.de
AG Mannheim 108285		Gf: Juergen Egeling