07-06-2020 10:44 AM
Hi,
The UCS environment is very new to me so bare with me if I struggle to understand replies and advice.
We have a Netapp storage center hosted in out UCS network. We also have a VM environment there as well.
After one of our team members did in depth troubleshooting with a Netapp support specialist, it was determined that the Netapp is working fine and somewhere between the network the Netapp lives on and the network the infrastructure VM's are on, SSL is either being blocked or filtered out.
Is there a way I can see if this is happening?
Thanks for any help and please let me know if I need to supply you with more information.
07-06-2020 10:59 AM - edited 07-06-2020 11:38 AM
Greetings.
UCSM/FIs is a layer 2 only device, so it has no ACL/L3 filtering abilities.
If you have filtering going on, then it is either upstream on a L3 device, or some sort of L3 virtual device/appliance.
Would be helpful if you could post a very basic picture of the topology...
So the netapp is directly connected to the FIs as 'appliance' ports?
I know some of them can have a specific QOS/COS value requirement, so you may need to confirm that your various ESXi host VNICs have the correct QOS policy.
Can you be more specific about the traffic you are talking about (i.e. ESXi VMK NFS port <> Netapp appliance,,, or guestVMs trying to hit management web interface)? Is this traffic in the same subnet, or in different subnets, where it has to go through L3 device? Does traffic on any port work between the two entities in question (i.e. ping, ssh, etc)?
Also, might want to fire up wireshark on your guestVMs in question and capture a snippet of your attempts to hit the netapp URLs requiring SSL negotiation.
Kirk...
07-06-2020 11:55 AM
07-07-2020 04:54 AM - edited 07-08-2020 04:46 AM
Without subnet mask details, it's hard to confirm if your netapp, and your VMs are in different subnets.
I am assuming you are using /24 SM, which means VMs have to go through an upstream router/L3 device to talk to the other subnet. That is where your focus should start.
Assuming your guestVMs don't have any unusual webbrowser SSL restrictions, or local OS firewalls causing the blocks.
Any chance you could use a testVM, and drop it in the same vlan as the netapp appliance, and do a test while the they are in the same subnet (this will remove the layer 3/router from the equation)?
Kirk...
07-08-2020 05:28 AM
Thanks for all your help. Ended up being an ACL on our Management switch.
Thanks for your time.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide