Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1589
Views
0
Helpful
3
Replies

VM's on nexus 1000v cannot communicate

AdamBatey
Level 1
Level 1

‎10-14-2012 08:47 PM

Hi All,

I'm currently runnning a POC for the ASA 1000v and as such i'm using the nexus 1000V for the first time. My issue might be that i'm missing something fundamental with the nexus configuration.  I have read the configuration guides and can't see any obvious issues in my config.

I have setup the Nexus 1000v and have created my port groups.  I have the ASA 1000V internal interface and a test VM sitting on the "ClientA" network, this network is vlan 70.These 2 VM's cannot see each other.

However a laptop i have externally sitting on VLAN70 that can ping & access both the test VM and the ASA1000v, likewise the ASA1000v and test VM can ping & access the Laptop.

So the issue appears to be with traffic between guest VM's on the same DVS within the Nexus

I have attached my nexus config for reference, if anyone can shed any light on my issue it would be greatly appreciated.

Regards

1 person had this problem
Labels:
136779-Nexus1000v.txt.zip
0 Helpful
3 Replies 3

Vinod Kataria
Level 4
Level 4

‎10-19-2012 04:51 PM

I see you are using following port-profile for inside interface of ASA and your Test VM

port-profile type vethernet CLIENTA

  vmware port-group

  switchport access vlan 70

  switchport mode access

  vservice node ClientA-ASA profile Inside

  org root/ClientA/TestDC/ASA

  no shutdown

  state enabled

This is enabling firewall on inside interface of ASA as well. You should not have firewall enabled for ASA inside interface.

To fix this create another port-profile without the "vservice" and "org" like the following:-

port-profile type vethernet CLIENTA-ASA-INSIDE

  vmware port-group

  switchport access vlan 70

  switchport mode access

  no shutdown

  state enabled

Use this port-profile for your ASA inside interface.

0 Helpful

AdamBatey
Level 1
Level 1
In response to Vinod Kataria

‎11-14-2012 02:25 PM

Hi Vinod,

Thanks for that.   I have made those changes but still no luck.  I will be honest i've been too busy to properly look over/debug since.  But once i get some more time i'll take a more indepth look and post back.

In any case thanks for pointing me in the right direction.

Regards,

0 Helpful

AdamBatey
Level 1
Level 1
In response to Vinod Kataria

‎11-15-2012 02:18 PM

HI All,

Still no joy with getting VM traffic through the ASA 100v/ nexus 1000v.

My current ASA1000v & Nexus1000v configs are attached.

The basics of the ASA config is as follows:

Gig 0/0 ( Inside )   connected to port group CLIENT-ASA-INSIDE

Gig 0/1 (Outside)  connected to port group OUTSIDE

ASA Security profile:

Interface: security-profile1

Name: Sec1

Enabled: Yes

Security Profile: Inside

PLease also note, i have tried both of the followng under the CLIENTA profile on the Nexus:

vservice node ClientA-ASA profile Sec1

vservice node ClientA-ASA profile Inside

I have VM's on CLIENTA port group. The VM's can ping the ASA inside interface. The ASA can ping external IPs . But VM traffic cannot get to the internet.

Note: testing external access via ping to IP as well as web browsing etc.

Not sure where i'm going wrong but any assistance would be appreciated.

Regards,

138542-Nexus1000v.txt.zip
0 Helpful
Customers Also Viewed These Support Documents