We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda SSL VPN

Why can’t I ping my network devices when logged into the Network Connector on my Barracuda SSL VPN Vx?

  • Type: Knowledgebase
  • Date changed: 4 years ago

Solution #00004964

 

Scope:

Applies to Barracuda SSL VPN.

 

Answer:


VMWare ESX/ESXi

---------------------------

If you have setup your Barracuda SSL VPN using VMware ESXi, then you will need to make sure that Promiscuous Mode is Enabled to be able to ping network devices when logged in with Network Connector. Promiscuous Mode is in your VMware vSphere client:


Enabling Promiscuous Mode for VMware vSwitches


1. Log into the vSphere client and select the ESX host.

2. Choose the “Configuration Tab” and then “Networking” in the Hardware area.

3. The Virtual Switch summary page will appear.

4. Click on the “Properties” link.


This opens up a window that allows you to modify the vSwitch configuration by port group. All the port groups on the “Ports” page are Virtual. 

The items on the “Network Adapters” tab are Real physical NIC cards in the server. By highlighting a port group, you can see a summary of

its settings. The default setting for Promiscuous Mode is turned off "Reject".


5. Create a new Port Group by pressing the “Add” button. The Add Network Wizard dialog will appear.

6. Select “Virtual Machine” and press Next.

7. Enter a name, set the VLAN to 4095 and press Next. This is a special VMware VLAN that listens to all other VLANs.

8. Press “Finish” to complete setup of your Promiscuous Mode port group.

9. Set the Port Group to Promiscuous Mode by highlighting your new Port Group and select “Edit”.

10. Select the “Security” tab, then select “Promiscuous Mode” and set the value to “Accept”.

11. Select “OK”


Now set the SSL VPN virtual machine to use this new Network.


1. Select the SSL VPN VM and right-click and Edit settings.

2. Select the Network Adapter in the Hardware tab.

3. Using the dropdown on the right in the Network Connection section, select the new Network interface.

4. Click OK.



WARNING: More than one physical NIC in the vSwitch

--------------------------------------------------

You may see issues where the network connectivity seems intermittent. Pings work when you connect sometimes, but not on other connections.


We have discovered that when there is more than 1 physical NIC in the vSwitch, then the OS that SSL VPN runs on never even gets presented the packet in the first place for about half the IPs that are pinged. This suggests that VMware's promiscuous mode support isn't actually forwarding all packets to the interface that it should be.


The moment the vSwitch is reconfigured with only 1 NIC, the connection works perfectly. 


This is true even if the 2nd NIC is in standby mode or load balanced etc. There's just no workaround apart from the have only a single NIC configured. This is not an ESX cluster specific thing, it relates to ESX in general. 


So the recommendation is to only have a single NIC configured in the VMware vSwitch that the SSL VPN uses.


Once you have these above settings changed, you will be able to reconnect using Network Connector and ping your internal devices.


Microsoft Hyper-V

-----------------

Hyper-V 2008 R2: 

  1. Shut down the VM from the appliance UI on port 8000/8443 
  2. Open Hyper-V Manager 
  3. Open the Virtual Machine settings dialog for the SSL VPN VM 
  4. Select the "Network Adapter" node in the tree on the left of the window 
  5. Tick the "Enable spoofing of MAC addresses" box on the right of the window 
  6. Click "OK" to save the changes 
  7. Start the VM from Hyper-V Manager 

Hyper-V 2012:

  1. Open Hyper-V Manager 
  2. Open the Virtual Machine settings dialog for the SSL VPN VM 
  3. Expand the "Network Adapter" node in the tree on the left of the window by clicking the plus symbol 
  4. Select "Advanced Features" 
  5. Tick the "Enable spoofing of MAC addresses" box on the right of the window 
  6. Click "OK" to save the changes 

Note: that under Hyper-V 2012 it is not necessary to shut down the virtual machine first, this change can be made to a running VM. 

Once this change has been made, Network Connector should begin to function correctly in the same way it would on a physical appliance, or virtual appliance hosted on VMWare, Xen, or Virtualbox..

 

Link to this page:

https://campus.barracuda.com/solution/50160000000IIdZAAW