SRX Services Gateway
Highlighted
SRX Services Gateway

Connecting to vCenter Server, Unable to connect to the MKS: Failed to connect to server xxx.xxx.xxx.xxx:902 [DESTINATION NAT]

[ Edited ]
‎03-25-2014 12:51 PM

Here's my network topology:

 

ijhygf.png

 

WHAT I WANT TO ACHIEVE: access virtual machines from remote network, be able to manage them through vCenter Server, run them, and see vms consoles (what's happening inside every vm, as I can see this in my local network).

 

WHAT I HAVE SO FAR: at the moment Im able to successfully connect from my computer in the remote network to vCenter Server, which is a virtual machine on one of my ESXi hosts. vCenter Server is the VM on ESXi 1, its IP address is 172.16.254.112/24.

 

WHAT I DID: I forwarded some ports on my JSRX router, forwarded 1.1.1.2:443 to 172.16.254.112:443, used this:

 

edit security
set zones security-zone trust address-book address accessvsphere 172.16.254.112/32
exit

edit security policies from-zone untrust to-zone trust
set policy vspherepolicy match source-address any destination-address [ accessvsphere ] application any
set policy vspherepolicy then permit
exit

edit security nat destination
set pool dst-nat-pool-vsphere address 172.16.254.112 port 443
set rule-set rs1 from zone untrust
set rule-set rs1 rule myrule1 match destination-address 1.1.1.2
set rule-set rs1 rule myrule1 match destination-port 443
set rule-set rs1 rule myrule1 then destination-nat pool dst-nat-pool-vsphere
exit

edit security nat
set proxy-arp interface ge-0/0/0.0 address 1.1.1.2

 

And it works great, I can connect to vCenter Server, but then I try to launch virtual machine, I see only black screen and the message: Unable to connect to the MKS: Failed to connect to server 172.16.254.11:902.

I read that vCenter Server need also port 902 and 903 for full connectivity but have no idea how to do this further. Which ports I need to forward, and - how?

5 REPLIES 5
Highlighted
SRX Services Gateway

Re: Connecting to vCenter Server, Unable to connect to the MKS: Failed to connect to server xxx.xxx.xxx.xxx:902 [DESTINATION NAT]

‎03-26-2014 07:46 AM

Your problem comes from not passing traffic on port 902 (903 may be required as well).  Your security policy is allowing it, but not your NAT.

 

Take a look at http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=749640... it may provide a little more information, but I belive if you setup a NAT for 902/903 just as you did for 443, things will work.

Dustin

VCP-4/5, JNCIS-SEC, JNCIP-ENT
Highlighted
SRX Services Gateway

Re: Connecting to vCenter Server, Unable to connect to the MKS: Failed to connect to server xxx.xxx.xxx.xxx:902 [DESTINATION NAT]

‎03-26-2014 07:53 AM

Hi,

 

Are you using VCloud Director?  If so then VCenter should proxy the connection for you, otherwise I think 902 must be open end to end.  I had a look on my own Client workstation and it opened a connection to port 902 on the ESXi host.

 

Pretty easy to test though, just set up another NAT rule as follows:

 

edit security nat destination
set pool dst-nat-pool-vsphere-902 address 172.16.254.112 port 902
set rule-set rs1 from zone untrust
set rule-set rs1 rule myrule2 match destination-address 1.1.1.2
set rule-set rs1 rule myrule2 match destination-port 902
set rule-set rs1 rule myrule2 then destination-nat pool dst-nat-pool-vsphere-902

 

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Highlighted
SRX Services Gateway

Re: Connecting to vCenter Server, Unable to connect to the MKS: Failed to connect to server xxx.xxx.xxx.xxx:902 [DESTINATION NAT]

‎04-02-2014 12:13 AM

Thanks, @

Highlighted
SRX Services Gateway

Re: Connecting to vCenter Server, Unable to connect to the MKS: Failed to connect to server xxx.xxx.xxx.xxx:902 [DESTINATION NAT]

[ Edited ]
‎04-02-2014 01:20 AM

Hi,

 

I made a mistake above and as you are not using VCloud Director then the VCenter server will not proxy the port requests for you I think.

 

Can you telnet to your ESX host on port 902 from the client?

 

telnet 172.16.254.11 902

 

Are the clients connecting from outside the network?  For example a home network, you may not be easily able to acheive this if so,  maybe better just opening RDP or something into your VCenter or management server and moving around from there?

 

If the clients are on the same network (as in the traffic isnt traversing the wilds of the internet or a WAN) then try the below, also I use any here but you probably only need port 902 open to the ESXi hosts, so maybe create a seperate policy after testing.

 

set zones security-zone trust address-book address accessvsphere 172.16.254.112/32
set zones security-zone trust address-book address esxi1 172.16.254.11/32
set zones security-zone trust address-book address esxi2 172.16.254.12/32
set zones security-zone trust address-book address esxi3 172.16.254.13/32

edit security policies from-zone untrust to-zone trust
set policy vspherepolicy match source-address any destination-address [ esxi1, esxi2, esxi3, accessvsphere ] application any
set policy vspherepolicy then log sessin-init
set policy vspherepolicy then permit

 

 

 

Also, maybe post your configuration so we can have a look.

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Highlighted
SRX Services Gateway

Re: Connecting to vCenter Server, Unable to connect to the MKS: Failed to connect to server xxx.xxx.xxx.xxx:902 [DESTINATION NAT]

[ Edited ]
‎07-03-2014 02:29 AM

Long time to see. Sorry guys but had so many problems those days and had no time for my JSRX.Also, I forgot my password so I needed to create a new account.

 

Anyway, the problem came back and I had the same issue. I used commands below as suggesten, but still, cant get to VMs console: (MKS: Failed to connect to server xxx.xxx.xxx.xxx:902)

 

edit security nat destination
set pool dst-nat-pool-443 address 172.16.254.112 port 443
set pool dst-nat-pool-902 address 172.16.254.112 port 902
set pool dst-nat-pool-903 address 172.16.254.112 port 903
 
set rule-set rs1 from zone untrust
set rule-set rs1 rule r1 match destination-address 1.1.1.2
set rule-set rs1 rule r1 match destination-port 443
set rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-443

set rule-set rs1 from zone untrust
set rule-set rs1 rule r2 match destination-address 1.1.1.2
set rule-set rs1 rule r2 match destination-port 902
set rule-set rs1 rule r2 then destination-nat pool dst-nat-pool-902

set rule-set rs1 from zone untrust
set rule-set rs1 rule r3 match destination-address 1.1.1.2
set rule-set rs1 rule r3 match destination-port 903
set rule-set rs1 rule r3 then destination-nat pool dst-nat-pool-903
exit
 
edit security nat
set proxy-arp interface ge-0/0/0.0 address 1.1.1.2
exit
 
edit security
set zones security-zone trust address-book address vcenterserver 172.16.254.112/32
exit
 
edit security policies from-zone untrust to-zone trust
set policy cloud-access match source-address any destination-address [ vcenterserver ] application any
set policy cloud-access then permit
exit
 
edit security policies from-zone untrust to-zone trust
set policy cloud-access match source-address any destination-address [ vcenterserver ] application any
set policy cloud-access then permit
exit
 
commit confirmed 60

 Heres my current configuration:

 

## Last commit: 2014-07-03 11:08:48 UTC by root
version 10.3R2.11;
system {
    host-name J-SRX210H;
    root-authentication {
        encrypted-password "$1$t91tMaHX$Of5kWRohQ.a/KpaT65Ag1/"; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    login {
        user root {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "$1$Ro9I8XrB$7NFRIgQR4ITuPbSFTjC7b."; ## SECRET-DATA
            }
        }
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            router {
                192.168.1.1;
            }
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.254;
            }
            propagate-settings ge-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members [ vlan-trust LAN Management ];
                }
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
        unit 2 {
            family inet {
                address 172.16.1.1/24;
            }
        }
        unit 254 {
            family inet {
                address 172.16.254.254/24;
            }
        }
    }
}
protocols {
    stp;
}
security {
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool dst-nat-pool-1 {
                address 172.16.254.112/32 port 443;
            }
            pool dst-nat-pool-2 {
                address 172.16.254.13/32 port 80;
            }
            pool dst-nat-pool-443 {
                address 172.16.254.112/32 port 443;
            }
            pool dst-nat-pool-902 {
                address 172.16.254.112/32 port 902;
            }
            pool dst-nat-pool-903 {
                address 172.16.254.112/32 port 903;
            }
            rule-set rs1 {
                from zone untrust;
                rule r1 {
                    match {
                        destination-address 1.1.1.2/32;
                        destination-port 443;
                    }
                    then {
                        destination-nat pool dst-nat-pool-443;
                    }
                }
                rule r2 {
                    match {
                        destination-address 1.1.1.2/32;
                        destination-port 902;
                    }
                    then {
                        destination-nat pool dst-nat-pool-902;
                    }
                }
                rule r3 {
                    match {
                        destination-address 1.1.1.2/32;
                        destination-port 903;
                    }
                    then {
                        destination-nat pool dst-nat-pool-903;
                    }
                }
            }
        }
        proxy-arp {
            interface ge-0/0/0.0 {
                address {
                    1.1.1.2/32;
                }
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    zones {
        security-zone trust {
            address-book {
                address vcenterserver 172.16.254.112/32;
                address esxiclient 172.16.254.13/32;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
                vlan.254;
                vlan.2;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy cloud-access {
                match {
                    source-address any;
                    destination-address [ vcenterserver esxiclient ];
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}
vlans {
    LAN {
        vlan-id 2;
        l3-interface vlan.2;
    }
    Management {
        vlan-id 254;
        l3-interface vlan.254;
    }
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}