This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to access web servers between LAN zones

Hi,

Trying to set up a XG v18 Home on ESXi 6.7u3 and running into a problem that has me stumped and I'm hoping someone can help me figure out where/how to fix this.

Initial test setup has 3 vNICs:

Port1 - LAN: static IP: 192.168.20.1/24 with client DHCP. Intended for normal everyday use and users.
Port2 - WAN: DHCP from ISP cable modem. Everything works fine far as I can tell from either of the other 2 networks
Port3 - MGMT: static IP:192.168.50.1/24 with client DHCP. Also a LAN port, but this is where the systems management trafiic will live, e.g. ESXi & Cisco switch management interfaces.

---------
UPDATE:
To clarify, each port is a separate network zone, i.e. MGMT & LAN are separate zones, but both are of zone type LAN.
---------

For testing I've created a trusted any/any rule between the LAN & MGMT zones, with no web filtering or IPS (far as I can tell) and logging enabled.

When client PC is connected to the LAN (port1) network, it gets an IP address, can access internet (WAN), can ping systems on the MGMT network and even SSH into the servers & Cisco switch.

BUT, here's the problem: it cannot successfully connect to any of the web interfaces, e.g. the ESXi web client can't connect to the ESXi web server. It appears the browser gets the SSL certificate and then it just starts spinning until it finally times out. I've tried with different browsers too and it works fine when not going through the firewall when the client PC is on the same MGMT network as the servers.

I've checked the logs and it says the firewall rule allows the TCP traffic on 443 to the web server, but I see a lot of "Could not associate packet to any connection" failure errors for the connection to the destination. When I trace the source port for these messages the log shows that the initial connection from that source port was allowed, but then it must time-out or something because within 10-30 seconds from the allowed connection it starts saying "Could not associate packet to any connection" for that source port.

No connection failures or errors show up in any other logs for the destination IP either.

It appears that any web server using HTML5 or other client or server side scripting is failing. Could this be because of self-signed certs on the ESXi and other servers? I've disabled SSL/TLS inspection, but it didn't change the results.

Any help or ides will be greatly appreciated,

Thanks!

This thread was automatically locked due to age.

Parents

0 rfcat_vk over 5 years ago

Hi,

pare the webservers configured to accept connections from networks they are not connected to?
ian
Cancel
Vote Up 0 Vote Down

Cancel
0 Pierre JvR over 5 years ago in reply to rfcat_vk

Far as I can tell none of them are set to block external traffic. I also set up a linked NAT rule, with source MASQ, for the traffic between the zones to test, in case this was an issue, but it makes no difference.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Pierre JvR over 5 years ago in reply to rfcat_vk

Far as I can tell none of them are set to block external traffic. I also set up a linked NAT rule, with source MASQ, for the traffic between the zones to test, in case this was an issue, but it makes no difference.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data