VMware ESX and slow syscalls
We have 2 physical machines in the company. Both have the same HW configuration, running the same processor:
Intel (r) CPU of XEON E5420 @ 2.50 GHz
One is a regular linux, and on a second we ESX, version 4.
In the ESX we have linux, which should be almost identical with the linux on the first machine.
The version of the kernel is: (a little old for these days, but the necessary cause of the old project)
Linux x 2.4.21 - 53.ELhugemem #1 SMP Wed Nov 14 03:46:17 UTC 2007 i686 i686 i386 GNU/Linux
The problem is that virtualized linux runs slower. I have read, that the load is about 8%, which is something I could live with. But the drop in performance can be seen by the naked eye.
I did 2 test programs:
First of all was just some important work in user space (e.g. giant loop and count numbers). Here, the performance reduction is about 8-10%, which is fine.
Second program is syscalls - "close (0);" in the loop. And that's where this isn't enough anymore:
Linux on real HW:
% time seconds usecs/call calls errors syscall
-
-
-
-
-
-
99,65 0.963257 10 100002 99999 relatives
0.001403 0.15 33 43 41 open
0.14 0.001368 34 40 36 stat64
0.000566 0.06 1 566 execve
0,000027 0.00 5 5 old_mmap
0,000007 0.00 4 2 fstat64
0.000006 0.00 1 6 read
0.00 0.000006 6 1 munmap
0,000004 0.00 4 1 uname
0.00 0.000003 3 1 brk
-
-
-
-
-
-
100,00 0.966647 100097 100076 total
Real 0m4.613s
user 0m0.760s
sys 0m3.730s
/ code [code]
14702 detached process
% time seconds usecs/call calls errors syscall
-
-
-
-
-
-
77.76 17.1206772 182 100002 99999 relatives
3.01 0.703602 703602 1 execve
2.99 0.700382 700382 1 set_thread_area(2).)
2.99 0.700337 700337 1 munmap
2.99 0.700328 700328 1 uname
2.99 0.700123 700123 1 read
2.99 0.700108 1 700108 brk
2.14 0.500571 100114 5 old_mmap
1.71 0.400229 200115 2 fstat64
0.100360 0.43 33453 3 1 open
-
-
-
-
-
-
100.00 23.412812 100000 100018 total
Real 0m48.434s
user 0m5.410s
sys 0m40.610s
/ code [code]
14702 detached process
% time seconds usecs/call calls errors syscall
-
-
-
-
-
-
77.76 17.1206772 182 100002 99999 relatives
3.01 0.703602 703602 1 execve
2.99 0.700382 700382 1 set_thread_area(2).)
2.99 0.700337 700337 1 munmap
2.99 0.700328 700328 1 uname
2.99 0.700123 700123 1 read
2.99 0.700108 1 700108 brk
2.14 0.500571 100114 5 old_mmap
1.71 0.400229 200115 2 fstat64
0.100360 0.43 33453 3 1 open
-
-
-
-
-
-
100.00 23.412812 100000 100018 total
Real 0m48.434s
user 0m5.410s
sys 0m40.610s
/ code [code]
14702 detached process
% time seconds usecs/call calls errors syscall
-
-
-
-
-
-
77.76 17.1206772 182 100002 99999 relatives
3.01 0.703602 703602 1 execve
2.99 0.700382 700382 1 set_thread_area(2).)
2.99 0.700337 700337 1 munmap
2.99 0.700328 700328 1 uname
2.99 0.700123 700123 1 read
2.99 0.700108 1 700108 brk
2.14 0.500571 100114 5 old_mmap
1.71 0.400229 200115 2 fstat64
0.100360 0.43 33453 3 1 open
-
-
-
-
-
-
100.00 23.412812 100000 100018 total
Real 0m48.434s
user 0m5.410s
sys 0m40.610s
Linux on ESX:
14702 detached process
% time seconds usecs/call calls errors syscall
-
-
-
-
-
-
77.76 17.1206772 182 100002 99999 relatives
3.01 0.703602 703602 1 execve
2.99 0.700382 700382 1 set_thread_area(2).)
2.99 0.700337 700337 1 munmap
2.99 0.700328 700328 1 uname
2.99 0.700123 700123 1 read
2.99 0.700108 1 700108 brk
2.14 0.500571 100114 5 old_mmap
1.71 0.400229 200115 2 fstat64
0.100360 0.43 33453 3 1 open
-
-
-
-
-
-
100.00 23.412812 100000 100018 total
Real 0m48.434s
user 0m5.410s
sys 0m40.610s
The machine runs on ESX spent 1200% more time doing the same thing.
Any ideas why this happens? It seems that the change of context is very expensive for a reason any.
You are right that EPT starts with Nehalem; Core (2) has no EPT.
As for your comment
We run hugemem kernel because we have more than 4 GB of RAM. Thus,.
I think to use as base hugemem kernel configuration, but the passage of
4g / 4g to 3g / 1 g split.
Let me first point out that other grain than hugemem (for example,
bigsmp) can handle up to 64 GB of memory, using PAE in 32-bit
mode.
Novell has some verbiage here
http://www.Novell.com/coolsolutions/tip/16262.html
that you can use.
I have not personally tried to pass the hugemem at 3/1 (I have not
even know it could be done), so I can't say if this will help or
not. But if it isn't, the kernel-bigsmp seems to meet your needs
for memory beyond 4 GB addressability (and it is supported by VMware).
Good luck
OLE
Tags: VMware
Similar Questions
-
Does anyone have more information about the current alert to support "all of you who have upgraded, or are planning to upgrade worms, ESX 3.5 Update 3 or ESXi 3.5 Update 3, please read the Article 1008130"? ".
Ko describes possible symptoms and identifies the affected ESX 3.5 U3 version, but the resolution is a bit vague. I understand they are working on a fix but,
Is it related to a specific build of U3?
Are there precautions that we can take to minimize the risk?
What is the scope? My hypothesis is not very because 3.5 U3 has been a while and I know this support alert is recent.
Anyone experence this first hand... at what level... There you said what though it is indicated in the KB?
I didn't have symptoms on the hosts I've 3.5 U3, but I planned improvements to several hosts this weekend and would like to know if I have to go through the painful process to cancel or reschedule.
3.5 has the robin load balancing experimental, but who would not count as a path failover (I don't think).
You can force the LUN through a certain path, it might take a few attempts on Lun busy because the load balancing cannot be changed when an INTERNATIONAL organization is pending (this is how works iCSSI HW). When you fail switches that nevertheless taken into account as a path failover, so I don't know how that comes in re: this issue when no LUN use this path.
For more security perhaps you put a hold:
DRS
SSH logins
Backups
Restorations
Clones
on/off switch
etc, etc, etc.
While the path are past failovers.
If a path fails on a single host, I would be surprised if it affects other hosts. Guests will book the file on the VMFS file system when they need to update the metadata or write data, I think that should continue its work. However, if you take a switch, you may have failures in path on all of your guests...
Ben
-
Minimum number of VMware ESX for a HA cluster
Can someone please detail the minimum number of hosts vsphere required for a HA cluster?
I'm planning an implementation of the VMware farm including a number of ESX hosts that will be split into two groups. The first group will include vsphere servers that are hosting virtual machines NOT required for DR via SRM. The second group will be VMware ESX and VMs protected by SRM.
With respect to the SRM cluster, the number of virtual machines is minimal (5-6 virtual machines) and can run on a host unique vsphere. The thin HA I will include 2 vpshere hosts in this cluster. My question is therefore if 2 VMware ESX is OK for a HA cluster because I'm not sure what should be the minimum number?
Any guidance is appreciated.
Thank you
> Can someone please detail the minimum number of hosts vsphere required for a HA cluster?
2 guests.
---
MCITP: SA + WILL, VMware vExpert, VCP 3/4
-
VMware ESX does not recognize the local RAID volume
Hi all
We are running VMware ESX 3.5 Update 3 on a G4 HP Proliant DL 380 with a Raid Smart Array 6i controller (this is our test platform).
Since the VI Client, it is not possible to add a data store that corresponds to a local 200 GB Raid5 volume. I can see this disc in the "Storage adapters" section (path: vmhba0:1:0, LUN ID = 0).
We have updated the firmware on our server is no problem of conformity between VMware ESX and such old material?
Thank you very much in advance for your help
Connect directly to the server and try to create this VMFS volume? I noticed on VC 2.5 that whenever I have create a server and try that he does not see the space when I try to add storage.
Direct connection to the host ESX with the VI Client works every time...
-
Need help to install Vmware ESXi and ESX 4.1 under VM in VMworkstation 7
I get an error when trying to install 4.1 ESX and ESXi 4.1 as a VM under VMWorkstation 7.1 running on Windows 7 32 bit AMD Phenom 9500 Quad Core 2.2 ghz with 3gig memory.
"Any level of support for the microcode for the stepping of the processor of AMD family 10 h B2.can some one guide what to do to work around this problem.
Thank you
the article below
-
ESX and VMware scripting Backend process...
Hi all
I look forward to hearing the internal processes that continue on the street within the ESX Server. For example:-that the ESX actually did when the user fires rescan command esxcfg-rescan & lt; vmhba. & gt;. Is there any script is triggered on commanded this shooting? and even on the backend to another ESX processes orders too. I want to update my self on these things. Hope someone here could give me a helping hand.
Concerning
MRM
If you are interested about how ESX (i) and some of the inner workings, you should take a look at some of the documents/charts architecture, this is available on VMworld if you have an account, and the majority of it should be free of previous years, less the recent VMworld Europe / U.S..
Here is another good site for a collection of documents to help: http://vsphere-land.com/top-10-list/top-10-list-index.html
If you are only interested in some of the esxcfg-* commands, a good way to learn what it is doing and the parts of the system it touches is to download the vCLI/RCLI: http://engineering.ucsb.edu/~duonglt/vmware/#vmware_rcli
These commands are similar to that of those on the classic ESX which are used to manage/configure remote both ESX(I) hosts and they use the VI API http://www.vmware.com/support/developer/vc-sdk/visdk25pubs/ReferenceGuide/index.html
You can open each of these scripts and get a good understanding, most of the classic esxcfg-* commands are compiled binaries which makes internal calls to the system, but some are normal Perl/bash scripts such as esxcfg-rescan or vmware-cmd and you can open these and take a look at what he does.
So it really depends on what you're trying to understand and explain how you want to enter.
I hope that gives you an idea of where to go.
=========================================================================
William Lam
VMware vExpert 2009
Scripts for VMware ESX/ESXi and resources at: http://engineering.ucsb.edu/~duonglt/vmware/
If you find this information useful, please give points to "correct" or "useful".
-
VMware ESX 3.5 and MSCS
Hi all
I noticed the MSCS in the release notes for ESX 3.5 indicating that VMware is not supported in this version
http://www.vmware.com/support/vi3/doc/vi3_esx35_vc25_rel_notes.html (about halfway)
Is there an official answer as to why this is, it is not supported? I'm running on 3.0 production systems in this scenario, and I fear that an upgrade will cause problems
Any help would be apprecated
3.5 MCSC 1 update is supported
Support for Microsoft Cluster Service (MSCS)
VMware ESX Server 3.5 Update 1 supports the Microsoft Cluster Service.
Support is similar to ESX Server 3.0.1 with the following additions:
-The customers of Windows 2003 64-bit and 32-bit are supported with MSCS.
-Start-up of the SAN for virtual machines by using MSCS is now supported.
-The majority node set of clusters with application-level replication (for
for example, Exchange 2007 Cluster Continuous Replication (CCR) is now
supported.
-
VMware ESX 3.5 and disabling carrots
Hi all
We have a Cluster ESX from VMware ESX 3.5 U3 that was built for a specific product that has a licensing model that doesn't fit well with the virtual server running model.
The basis of this cluster is 3 x BL465c G1 Dual Core servers HP with 16 GB of memory each. We're going to run out of memory, and I can't add memory without add because of the architecture of AMD processors.
Adding more CPU will have a big impact on licensing costs - once again not the licenses of VMware.
I want to do is add a second processor DC and then use BIOS to disable half of the cores in each processor. This will allow me to add an extra 16 GB memory per server and stay within the limits of the license.
My question - has anyone with disabilities hearts on a host ESX from VMware, specifically after ESX has been installed. All that needs to be done?
I tested the disabling function of carrots on a Windows Server and who did replace the drivers, I was wondering if VMware ESX should similar updates / management.
Rob of TIA.
You'll be fine, apart from the fact that, by adding the Jepp second you will need an additional CPU, per ESX host licensing doesn't mind.
If you have found this device or any other answer useful please consider useful or correct buttons using attribute points
Tom Howarth
VMware communities user moderator
Blog: www.planetvm.net
-
PE2950, virtualization and VMware ESX 3.5.2 technology bios setting
I PE2950 with VMware ESX server 3.5.2 is installed.
The activation of the "Virtualization Technology" BIOS setting (under information CPU) will cause problems with the operating system? (it was disabled when installing ESX on it – default setting)
-
VMware ESX server CPU use test alarm
Hi all
For a new client, I need to show the alarm and ticket slot functionlity vmware ESX server logging settings
- Use of the CPU of a server ESX VMW
- Use of memory for the server ESX VMW
While I reduced the threshold value of VMW ESX Server CPU use as beloow format
WARNING - 5% and STDev.warning - 0
I made this two days before configuration, but still no alarm generated for this rule.
Help the creation of a test of the abveo metric ESX alarm
Hi - I ended up having to do such things in the past as well. I just built a virtual machine added lots of processors and memory, then for the CPU, I used the script CPUBusy.vbs from VMware (Google search which) and down it load times so that he began to max real physical processors... For memory, I just opened a massive text file in Wordpad and scroll up and down it. This gave me the circumstances to test the alarms, just don't do as a busy time or use some dev ESX servers... Danny Bravo
-
2808 LAG for use with VMware ESXi and Linux collage
I posted the month last about setting up my work with groups LAG http://en.community.dell.com/support-forums/network-switches/f/866/t/19537080.aspx servers (I'll effectively implementing implement this Saturday)
I decided to buy a 2808 for my ESXi server get more aggregated connections to my staff iSCSI Linux server but now I'm worried I might have made a mistake to buy the 2808.
After looking in the manual before I realized I could have been mistakenly assuming that the 2808 had STP and LACP, as I can't find LACP anywhere in the PDF file. I guess that the configuration of my Linux machine for 802.3ad is out (a hope to make mode 4), so now for the configuration of my house, I wonder (* 1 *) that I have to configure my VMware NIC team like and what mode of binding should I use on my Linux host? As for the section at the top (my working configuration) (* 2 *) I don't know what to do about the road other than the leave as 'route based on originating virtual port ID "? (This is how our other data centers are configured, but I'm waiting for my admin network as agglomerates ESXi hosts are configured with the channels of port on our cisco switches)
For the House, I want to try to increase the bandwidth by using three NICs in each server, I was hoping that it works:
VMware: Route of IP hash function?
w/Linux: balance-alb?-VMware:
Before you begin:- The default load balancing strategy is route based on the port virtual origin ID. If the physical switch uses the aggregation of links, route based on the IP hash load balancing should be used. For more information, see host requirements for the aggregation of links for ESX and ESXi (1001938) and the guide of VMware Virtual Networking Concepts .
- LACP support was introduced in vSphere 5.1 on distributed vSwitches and requires additional configuration. For more information, see activation or deactivation of LACP on a group of ports Uplink using the vSphere Client Web (2034277).
- Ensure that the Protocol of aggregation VLAN and link (if any) are correctly configured on the physical switch ports.
-Linux:
* Descriptions of bonding modes *.
+ Mode 0 balance-rr: Round-robin policy: transmit packets in the sequential order of the first available through the last high school. This mode provides load balancing and fault tolerance.+ 1 active-backup mode: Active-backup policy: only one slave in the link is active. A different slave becomes active if and only if, the active slave fails. MAC address of the binding is visible from the outside on a single port (NIC) to avoid confusion between the switch. This mode provides fault tolerance. The first option affects the behavior of this mode.
+ 2 balance-xor mode: XOR policy: transmit based [(adresse MAC XOR avec destination MAC traiterait de source) modulo County slave]. This selects the slave even for each destination MAC address. This mode provides load balancing and fault tolerance.
+ 3 broadcast mode: broadcasting policy: transmits everything on all slave interfaces. This mode provides fault tolerance.
+ Mode 4 802.3ad: IEEE 802.3ad dynamic aggregation of links. Creates aggregation groups who share the same speed and duplex settings. Use all the slaves in the active aggregator according to the 802.3ad specification.
-Prerequisite:
-1.Ethtool support in the base drivers to retrieve the speed and duplex of each slave.
-Switch 2.A which takes care of IEEE 802.3ad dynamic aggregation of links. Most of the switches will require some type of configuration to activate 802.3ad mode.+ Mode 5 balance-tlb: Adaptive load balancing transmission: Channel link that doesn't require any special switch support. Outgoing traffic is distributed according to the intensity of the current (relative speed) on each slave. Inbound traffic is received by the current slave. If the receiving slave fails, another slave takes over the MAC address of the failed receiving slave.
-Prerequisite:
-1.Ethtool support in the base drivers to retrieve the speed of each slave.+ 6 balance-alb mode: Adaptive load balancing: includes balance-tlb plus receive balancing (rlb) for IPV4 traffic and doesn't require any special switch support. Receive load balancing is achieved by ARP negotiation. Link driver intercepts the ARP replies sent by the local system on their way and replaces the hardware address of source with the unique hardware address of one of the slaves in the bond as different counterparts use different physical addresses for the server.
The topic dell nearest you, I have found a useful was: http://en.community.dell.com/techcenter/networking/f/4454/t/19415629.aspx
my previous post was more concerned with VLAN tagging and spanning tree issues, but now I see I should have feared groups LAG it as well.
Any help would be appreciated, thanks in advance all :)
-
PS. http://i.dell.com/sites/doccontent/shared-content/data-sheets/en/Documents/dell-powerconnect-2800-series-spec_sheet.pdf said that the 2800 series supports LACP, so if I'm worried about anything on my iSCSI side slap me please in the face, but I guess even in this case, I'm still not sure how to configure the ESXi host because it does not support LACP without vSphere and my original configuration is a free version , so I have no web vSphere management needed to make the LACP allow the change.
Not sure if it is of no use: example configuration of EtherChannel / switches control protocol LACP (Link Aggregation) with ESXi/ESX and Cisco/HP (1004048), but that's where I was to base the choice on IP hash from.
It must have the support of layer 3 to achieve IP hash, IP addressing is a 3-layer technology, so a 6200 series or higher or the soon to be released N3000 series.
-
Cisco Secure ACS 4.2 on VMware ESX 4.0.
We must move from ESX 3.5 to ESX 4.0 a virtual machine running Cisco Secure ACS for Windows version 4.2.
This solution is compatible and supported by Cisco?
Thank you.
Andrea
ACS Windows 4.2 is not supported by Cisco, when installed on VMWare ESX 4.0 in accordance with the following documentation:
Only ACS 5.1 is supported on ESX 4.0:
-
What is the best for VMware esx 4.0
If I understand correctly, 4.2.1 for windows only supports VMware esx 3.0? IF ACS 5.0 supports VMware esx 4.0? Or is it a solution Manually applciation compete with hardware?
Pls help?
5.1 of the ACS is FCS and running on ESX 4.0
-
Hello guys,.
I've been running an old server that was installed in a test system on workstation DELL - Optiplex GX620 (32 bit).
During installation, I had to confirgure the file: /usr/lib/vmware/installer/Core/TargetFilter.py to change the following line:
"interface returned. GetInterfaceType() == ScsiInterface.SCSI_IFACE_TYPE_IDE' as follows:
"interface returned. GetInterfaceType() == ScsiInterface.SCSI_IFACE_TYPE_ISCSI' this is it worked and I used it for 3 years now. However, right now, I was hoping to be updated with the latest patches and updates and I do not know if I just ESX or ESXi, or what was my last update, and what it takes then.
I used this command to get the following result:
# vmware - v
VMware ESX Server 3i 3.5.0 build-207095
... I think that the 3i says I have an ESXi 3.5.0 but build 207095 the buid even as ESXi 3.5.0 patch 5?
If this is not the case, how should I do to update? What is the KB # I should download?
I can manage using vSphere Client 5.5 and I can't SSH using PuTTY.
Note: When I run... "# esxupdate - bundle = ESXe350-201302401-I - SG.zip updated ' of in the folder where his property in the data store, nothing happens... just a new line scrolls.
Also...
# esxupdate query
<? XML version = "1.0"? >
<>request-response
< installed packages >
< package ID = "ESX-207095" >
firmware < name > < / name >
< version > 3.5.0 < / version >
< rel > 207095 < / rel >
< / packages >
< package ID = "ESX-CLIENT-204907" >
< name > viclient < / name >
< version > 2.5.0 < / version >
< rel > 204907 < / rel >
< / packages >
< package ID = "ESX-TOOLS-207095" >
< name > tools < / name >
< version > 3.5.0 < / version >
< rel > 207095 < / rel >
< / packages >
< / packages installed >
< / request-response >
# /vmfs/volumes/525300ce-5ff6ad3d-e2ed-0014222aedb7/patches/ESXe350-201302401-O-SG
... is there any update for this system? I therefore believe that the patch software etc was not around when I was installing this server in 2010.
Based on KB http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1014508 you run ESX 3.5 Update 5.
-
IPSec on VMWare ESX 5.1 communication problems
Hello
We have 2 computer systems. You running us VMWare ESX 5.1 and the other is running Ubuntu 14.04. We have problems for IPSec to work between the two systems. We cannot find any documentation or known issues with IPsec on VMWare ESX 5.1, so we're going to reach out to the community.
Here's what we did:
1. we configured Ubuntu and VMWare systems to use IPv6, we can ping each other using IPv6.
2. we configure IPSec on an Ubuntu operating system by following the instructions below:
https://help.Ubuntu.com/community/IPSecHowTo
3. we have followed the instructions below to configure IPsec on VMWare.
Here's the problem:
When 2 Ubuntu systems run IPsec, they are able to ping each other. However, when allow us IPSec communications between VMWare and Ubuntu, the ping is suspended.
Here is the result of the configuration of command esxcli on VMWare:
UBUNTU. IPv6.ADDRESS-> Ubuntu IPv6 address
VMWARE. IPv6.ADDRESS-> address IPv6 from VMWARE
Name Source address Destination address State SPI Mode Encryption Algorithm, integrity algorithm to life-------- ------------------------------------- ------------------------------------- ------ ----- --------- -------------------- ------------------- --------
GoToDPSA UBUNTU. IPv6.ADDRESS VMWARE. Mature IPv6.ADDRESS infinity 0 256 transport 3des-cbc hmac-sha2-256 x
VMWARE DPToGoSA. IPv6.ADDRESS UBUNTU. Mature IPv6.ADDRESS infinity 0 x 300 transport 3des-cbc hmac-sha2-256
Name of the Source address Source Port Destination address Destination Port Protocol flow Action Mode SA
-------- ---------------------------------------- ----------- ---------------------------------------- ---------------- -------- ---- ------ --------- --------
VMWARE DPToGoSP. IPv6.ADDRESS/64 0 UBUNTU. IPv6.ADDRESS/64 0 everything on transport ipsec DPToGoSA
GoToDPSP UBUNTU. IPv6.ADDRESS/64 0 VMWARE. IPv6.ADDRESS/64 0 in ipsec transport GoToDPSA
Here's what we found:
After debugging the problem (using tcpdump), we found that the VMWare system sends the ESP packets, but never sends a package AH (required for IPSec authentication). Even when the encryption protocol is null, the system of VMWare would always send ESP packets, but never once sent a package of AH.
Here is the resulting execution trace: Ubuntu - ping-> VMWare:
...
IP6 UBUNTU. IPv6.ADDRESS > VMWARE. IPv6.ADDRESS: AH(spi = 0 x 00000256, seq = 0 x 16): ICMP6, an echo request, seq 1, length 64
IP6 VMWARE. IPv6.ADDRESS > UBUNTU. IPv6.ADDRESS: ESP(spi = 0 x 00000300, seq = 0 x 1), length 160
IP6 UBUNTU. IPv6.ADDRESS > VMWARE. IPv6.ADDRESS: AH(spi = 0 x 00000256, seq = 0 x 17): ICMP6, an echo request, seq 2, length 64
IP6 VMWARE. IPv6.ADDRESS > UBUNTU. IPv6.ADDRESS: ESP(spi = 0 x 00000300, seq = 0 x 2), length 160
IP6 UBUNTU. IPv6.ADDRESS > VMWARE. IPv6.ADDRESS: AH(spi = 0 x 00000256, seq = 0 x 18): ICMP6, an echo request, seq 3, length 64
IP6 VMWARE. IPv6.ADDRESS > UBUNTU. IPv6.ADDRESS: ESP(spi = 0 x 00000300, seq = 0 x 3), length 160
Summary:
There seems to be a problem with IPSec in VMWare ESX 5.1 on IPv6.
We noticed that the downloads section of the site support provided patches for VMWare ESx 4.x and earlier, but lack of patches for VMWare ESx 5.x.
Are there known issues in this area or available patches to fix this problem? Your kind suggestions would be greatly appreciated. Thank you.
Sorry for the late reply, but here the analysis of what is happening and why you are experiencing a problem.
The Encapsulating Security Payload (ESP) to IPsec protocol will encrypt a payload of the packet and can
Optionally authenticate the packages as well. You do not include orders allowing you to set the
Security Association (SA) and political security (PS), but the output in your post indicates that you
you want to encrypt the payloads both authenticate packets in mode of transport between the hosts.
I don't know why the Ubuntu IPsec HowTo examples using protocols AH and ESP to encrypt and
authenticate the packets. In our view, it is best done in a single step with ESP, ESXi only
offer the option of AH with IPsec. Of course, this requires configuring the ESXi server and your
The host with a configuration of IPsec compatible Ubuntu (or any other operating system).
To illustrate, suppose the ESXi server has the address 2001:db8:1 and the host of Ubuntu has the
address 2001:db8:2. We will use cbc-3des for encryption of the useful and hmac-sha2-256 load for integrity
authentication mode of transport - just like in your message.
On the ESXi host, the commands to do this might look like this (of course, you need to generate your)
own keys and not re-use those I did).
# Add the outbound security association ESXi
esxcli ipsec ip network his Add.
-sa-source = 2001:db8:1.
-sa-destination = 2001:db8:2.
-sa-mode = transport.
-sa-spi = 0 x 200.
-encryption = 3des-cbc algorithm-
-encryption key = 0x6dd50fa97e919365d393fd0d404c655f80651316e9418682.
-the integrity algorithm hmac-sha2-256 =.
-integrity key = 0x730047c680d9812535a741bbb3521a29322cca77464cf16092519c4165ca6958.
-sa-name = sa_1to2
# Add the ESXi inbound security association
esxcli ipsec ip network his Add.
-sa-source = 2001:db8:2.
-sa-destination = 2001:db8:1.
-sa-mode = transport.
-sa-spi = 0 x 300.
-encryption = 3des-cbc algorithm-
-encryption key = 0x50988e55ca6a0d0440cf0c29f80d308df884616ec4b55552.
-the integrity algorithm hmac-sha2-256 =.
-integrity key = 0xf76caa5b4985a8a9d1c7cedbcf43f21b83401818e3b8d5e526a8c99ff4d4baa7.
-sa-name = sa_2to1
# Add the outbound security policy ESXi
esxcli network ip ipsec Ms Add.
-sp-source = 2001:db8:1 / 64.
-source-port = 0.
-sp-destination = 2001:db8:2 / 64.
-destination-port = 0.
-top-layer-protocol = any.
-action = ipsec.
-output = flow direction.
sp-= transport mode.
-sa-name = sa_1to2.
-sp - name = sp_1to2
# Add the ESXi incoming security policy
esxcli network ip ipsec Ms Add.
-sp-source = 2001:db8:2 / 64.
-source-port = 0.
-sp-destination = 2001:db8:1 / 64.
-destination-port = 0.
-top-layer-protocol = any.
-action = ipsec.
-direction of flow = in.
sp-= transport mode.
-sa-name = sa_2to1.
-sp - name = sp_2to1
# List the ESXi security associations
esxcli network ip ipsec its list
Name Source address Destination address State SPI Mode Encryption Algorithm, integrity algorithm to life
------- -------------- ------------------- ------ ----- --------- -------------------- ------------------- --------
sa_2to1 2001:db8:2 infinite mature 2001:db8:1 of hmac-sha2-256 0 x 300 transport 3des-cbc
sa_1to2 2001:db8:1 infinite mature 2001:db8:2 of hmac-sha2-256 0 x 200 transport 3des-cbc
# List the ESXi security policies
List of the sp network ip ipsec esxcli
Name of the Source address Source Port Destination address Destination Port Protocol flow Action Mode SA
------- -------------- ----------- ------------------- ---------------- -------- ---- ------ --------- -------
sp_1to2 2001:db8:1 / 64 0 2001:db8:2 / 64 0 everything on ipsec transport sa_1to2
sp_2to1 2001:db8:2 / 64 0 2001:db8:1 / 64 0 in ipsec transport sa_2to1
On your Ubuntu host, you need a compatible IPsec configuration. In general, on linux systems
use the command setkey BSD-door, this is done by changing the system-wide
in/etc/ipsec configuration file - tools.conf.
#! / usr/sbin/setkey - f
flush;
spdflush;
#
# SAs ESP using 192 bit long keys (168 + 24 parity)
# generated using: dd if account = / dev/random = 24 bs = 1 | xxd - ps
# ESXi supports 3des-cbc, aes128-cbc, or null
#
# AH SAs using 256 bit long keys
# generated using: dd if account = / dev/random = 32 = 1 bs | xxd - ps
# ESXi supports hmac-sha1 or hmac-sha2-256
#
Add 2001:db8:1 2001:db8:2 esp 0x200
E 3des-cbc 0x6dd50fa97e919365d393fd0d404c655f80651316e9418682
-A hmac-sha256 0x730047c680d9812535a741bbb3521a29322cca77464cf16092519c4165ca6958;
Add 2001:db8:2 2001:db8:1 esp 0 x 300
E 3des-cbc 0x50988e55ca6a0d0440cf0c29f80d308df884616ec4b55552
-A hmac-sha256 0xf76caa5b4985a8a9d1c7cedbcf43f21b83401818e3b8d5e526a8c99ff4d4baa7;
# Security policies
spdadd 2001:db8:1 2001:db8:2 all Pei in ipsec
ESP/transport / / need;
spdadd 2001:db8:2 2001:db8:1 all Pei on ipsec
ESP/transport / / need;
I have no problem of encryption and authentication of IPv6 traffic between a server ESXi 5.1
and a host of 14.10 Ubuntu using this configuration.
Maybe you are looking for
-
Hi all I use a MacBook Pro (13 "to end 2011) and iMac (27", by the end of 2012). Both are up to date, running El Capitan 10.11.5. They are connected with a thunderbolt cable in order to use the iMac as a second screen (TDM). Now, when I press CMD + F
-
How can I reset my R7000 in the State in which I out took it of the box?
How can I reset my R7000 in the State in which I out took it of the box? Why am I asking? The latest version of the firmware has destroyed the connectivity and performance of my router. I'll have to deal with the devices that can not connect, devices
-
How to play an old Command & Conquer - Red Alert Win95 version on the current system
How to play an old Command & Conquer - Red Alert Win95 version on the current system
-
For instances:I want to print a PowerPoint slide.I go to the "print" key in power point.I can choose how I want to print it.
-
Aironet 1240AG - cannot use the web interface
I'm trying to set up a new Aironet 1240AG. After that she won an IP from the DHCP in my LAN, I can always connect using the web interface. I use an Internet Explorer 6.0 on Win 2000. It keeps telling me cannot find the server. Please I need help