Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 16771 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Packet Loss on VMWARE

MichaelDionne

We recently deployed two Sophos XG Firewall in HA Active/Passive on a VMWare infrastructure. We configured a WAN interface in bridge mode to three interfaces in different VLAN. We configured another WAN interface and configured a LAN interface which is in the VMWare Trunk.

We have problem with some packet loss. We have packet loss for certain random VM in any VLAN and after a certain time network is back again. If we start a ping from inside the VM, we never loose any ping.

Bridge Interface configuration:

PortE --> VLAN10

PortG --> VLAN11

PortD --> VLAN12

PortC --> VM Network (WAN)

 

Other Interfaces:

PortA --> Trunk

PortA.13 --> VLAN13

PortA.14 --> VLAN14

PortA.15 --> VLAN15

PortB --> VM Network (WAN)

 

 

 



This thread was automatically locked due to age.
Parents
  • 0

    HI MichaelDionne, 

    Could you check for any interface errors , when you user the XG appliance in HA .  To check the Error's you could check via SSH/Telnet access. 

    Console > system diagnostics utilities bandwidth-monitor 

    Cycle through the error/sec page by toggling with 'u' and check for any errors in your VM network . If so you  may need to check the interface speed .

    Thanks and regards

    Aditya Patel 

  • 0 in reply to Aditya Patel

    I got several error on my interfaces in RX state and constant error in the bandwith-monitor. Our interfaces are set in auto-negotiate, and the physical NIC on VMWARE are on 10Gbps.

    Where I can see at which speed our interfaces is running?

Reply Children
  • 0 in reply to MichaelDionne

    Hi MichaelDionne, 

    As per your snapshot the error on the interface is the cause of the issue and should be monitored . Now Here is the steps for you to resolve such issue . 

    Step1 : Change the interface Speed to match with the lower limit i.e. Cable or NIC speed whichever is lower.

    Step2 : Run the command console>show network interfaces  (check for the change of Errors and monitor after few seconds and run the command again and again ) Make sure the errors on the interface on which you have configured the network Speed is stable ) 

    eg  error on port C is 48595  > check the command again after few seconds  > Error Should be the same 48595 or should be stable after the next retry .

    Step 3. : Repeat the step 2 with different interface speed . Preferred from higher to lower and check if the error is stabilzed  

    Thanks and Regards

    Aditya Patel | Network and Security Engineer. 

  • 0 in reply to Aditya Patel

    I can't change the interface speed. Seem the option is grayed.

    What I need to do? 

  • 0 in reply to MichaelDionne

    Hi MichaelDionne,

    As you are using VM , you may change the interface speed of the Connection to Adapter of VMnet linked with your interface . 

    Please refer the KB article that may help you with your issue 

    https://kb.vmware.com/kb/1004089

    If you have a license for VMware , you may raise a concern to change the interface Speed of the VMnet or VMNIC .

    Thanks and Regards 

    Aditya Patel | Network and Security Engineer.

  • 0 in reply to Aditya Patel

    It's normal that I can't change the interface speed on the Sophos appliance?

    I will check with the cloud provider to see the VNIC configuration.

  • +1 in reply to MichaelDionne

    HI MichaelDionne, 

    ON virtual appliance , you could not change the interface speed on XG as it does not control the hardware which is your NIC Adapter. This settings is applicable to hardware appliance. Your VM or the ethenet driver have the capability to change the interface speed . 

    How to determine the NIC speed of the ShareScan manager PC:

    Windows XP/ 2003:

    1. Click "Start > Settings > Control Panel".
    2. Select "Network Connections".
    3. Right click on the "Local Area Connection" select "Properties".
    4. In the "Local Area Connection Properties" window, select the "Configure" button.
    5. Select the "Advanced" tab.
    6. In the scroll list of options find "Media Type" and select it.
    7. The NIC speed will be displayed in the "Value" drop down menu.

    Windows Vista/ Windows 7/2008:

    1. Click "Start > Settings > Control Panel".
    2. Select "Network and Sharing Center".
    3. On the right panel select "Change Adapter settings"
    4. Right click on the "Local area Connection" and select "Properties".
    5. In the "Local Area Connection Properties" window select the "Configure" button.
    6. Select the "Advanced" tab.
    7. In the scroll list of options find "Speed & Duplex" or "Link Speed & Duplex" and select it.
    8. The NIC speed will be displayed in the "Value" drop down menu.

    My first recommendation to change the interface speed on VMware as per the KB article  or change the ethernet port speed manually.

    Thanks and regards

    Aditya Patel | Network and Security Engineer.

  • 0 in reply to Aditya Patel

    Hi,

    You were right, when you use the OVF file to deploy Sophos it's using Flexible driver for the network cards. Then we figured that was the problem.

     

    I changed the network card by editing the VMX file to VMXNET3, the VM is booting normaly with no error but the router won't connect to the network. With e1000 it's working, but I'm loosing packets since the physical NIC is 10Gbps.

     

    Do you have an idea why I can'T use VMXNET3 on the sophos XG?

  • 0 in reply to MichaelDionne

    MichaelDionne said:
    Do you have an idea why I can'T use VMXNET3 on the sophos XG?

    It is useless that config of the default ovf. Recommended paravirtual ovf.

    Or SCSI Controller changes to VMware paravirtual.

  • 0 in reply to FoW

    Do you know if I can change that with the VM already in production?