NVGRE Gateway stops forwarding packets

Similar Messages

• Network Switch requirements behind a NVGRE Gateway

  Hello there,
  I'm looking forward to set up a nice System Center 2012 R2 Environment, with one Major Site where the Infrastructure for System Center and the Virtual Machines reside. There are another 2 Sites which will get an NVGRE Gateway so I can have the same IP Setup
  both sites matched to the deployed VMs. We will call the Site where all the big Hardware sits Site A, Site B and C only will have a NVGRE Gateway so that physical Machines on Site B and C can Access their VM's with their locally assigned IP Addresses and not
  what Site A is configured with.
  My question seems a bit silly but I haven't found any answer to this (neither in the Hybrid Cloud Guide nor somewhere else)
  If I deploy the following layout on all 3 sites (simplified), what features will the Switch on the local site need? Any certain numbers like ARP Entries or anything?
  Layout: [Hardware] ---- [Switch] ---- [NVGRE Gateway] ---- [ISP]
  My ISP has assured me I'm on full IPv4/6 Dualstack and I can have an ASN on the site where the Hardware is. The other two sites are simple enough ADSL IPv4 Lines where the x86 commodity Hardware NVGRE Gateways will be set up. I understand that eBGP will
  not be possible with this kind of Setup but iBGP should be working?
  So do I need something like a Juniper EX-4200+ Series Switch on each Site behind the NVGRE Gateway or will be a basic L2(+ ?) Switch do the Job on the local Networks or do I need to watch out for some specific Switch supported features to get going?
  Thanks for your help in advance guys!

  So over 100 Views and no one can tell me if a simple L2 Switch will do on the local only fabric or not? Do I need a MS Support Case just to get a clarification on that?

• How to Stop Forward scheluding process in Sales order(VA01)

  Hi ,
  How to Deactivate forward scheduling proposal in sales order.....
  In current systen, we have both forward and Backword scheduling process based on the material availability.
  What is the customization required to do in SPRO or Master dsata changes to stop forward scheduling proposal in sales order....
  Thanks & Regards
  Sudheer Madisetty

  HI Gopal,
  Thanks for your reply
  Apart form OVLY, Any other customization required to be done...?
  Regards
  Sudheer

• Firefox has stopped forwarding my mail to my Mac Mail.

  I had to change my Firefox password lately, so that it does not match my Mac Mail password. Then Firefox stopped forwarding my mail to my Mac Mail box.

  Also make sure that you do not run Firefox in permanent Private Browsing mode.
  *https://support.mozilla.com/kb/Private+Browsing
  *You enter Private Browsing mode if you select: Tools > Options > Privacy > History: Firefox will: "Never Remember History"
  *To see all History and Cookie settings, choose: Tools > Options > Privacy, choose the setting <b>Firefox will: Use custom settings for history</b>
  * Deselect: [ ] "Permanent Private Browsing mode"

• NVGRE Gateway Cluster Problem

  Hello
  We have following setup:
  Management Hyper-V hosts running WAP, SPF and SCVMM 2012 R2 components
  Gateway Hyper-V host: single node gateway hyper-v host, configured as a single node cluster to be able to join extra hardware in the future
  this Hyper-V host runs 2 Windows Server Gateway VMs,configured as a failover cluster.
  The following script is used to deploy these windows server gateway VMs as a high available NVGRE gateway service:
  http://www.hyper-v.nu/archives/mscholman/2015/01/hyper-v-nvgre-gateway-toolkit/
  two tenant Hyper-V hosts running VMs which are using network virtualization
  The setup is completed successfully and when creating a tenant in WAP and creating VM network for this tenant using NAT, the VMs of this tenant are accessible and can access Internet using the HA Gateway cluster.
  The Gateway Hyper-V host and NVGRE Gateway VMs are running in a DMZ zone, in a DMZ Active Directory Domain.
  Management and Tenant Hyper-V hosts, incl all Management VMs, are running in a dedicated internal Active Directory domain.
  Problems start when we failover the Windows Server Gateway service to the other VM node of the NVGRE Gateway cluster. We see in the lookup records on the Gateway Hyper-V host that the MAC address of the gateway record for tenants is updated with the new
  MAC address of the VM node running the gateway service.
  But in SCVMM, apparently, this record is not updated. The tenant hosts still use the old MAC address of the other Gateway VM node.
  When looking in the SCVMM database, we can also see that in the VMNetworkGateway table that the record representing the gateway of the tenant, still points to the MAC address of the PA network adapter of the other node of the NVGRE Gateway cluster, not to the
  new node on which the gateway service is running after initiating a failover.
  On the tenant hyper-v hosts, the lookup record for the gateway also points to the old node as well.
  When manually changing the record in the VMNetworkGateway table to the new MAC address, and refreshing the tenant hosts in SCVMM, all starts working again and the tenant VMs can access the gateway again.
  Anybody else facing this issue? Or is running a NVGRE Gateway cluster on a single Hyper-V node not supported?
  To be complete, the deployed VMs running the gateway service are not configured as HA VMs.
  Regards
  Stijn

  If i understand your post correctly you have a single Hyper-V Host running 2 GW VM's. I think the problem is that when you deploy a HA VM Gateway Cluster it wants to create a Cluster Resource (PA IP Address) on the Hyper-V host as well. So when you run 2
  hyper-v hosts and 2 gw vm's and you move the active role to another host it will move the Provider Address to the other Hyper-V host as well. I believe this is by design. You should ask yourself also the question why running 2 vm's in a cluster on the same
  node ;-)
  I would recommend to use 2 node Hyper-V Host Cluster (This is needed for the HA PA Address, And not necessary for your GW VM's )
  Then run the deployment toolkit again. Now when that's done again, take a close look on how the Active node on the Hyper-V host has the corresponding PA assiogned on that Hyper-V host. Then do a failover, refresh the cluster manager and take notice
  of the PA address that has moved along to the other Hyper-V host that is the active one. It is diffuclt to explain, in a couple of sentences but i hope you have the opportunity to build the 2nd Hyper-V host aswell and create a cluste.
  Side note: if you want to keep the excising VM Gateway cluster. remove all gateways from VM Networks and remove the Gateway service from VMM. Then provision the second Hyper-V Host, Configure Cluster, Live migrate 1 GW VM node to it. Reconfigure
  Shared VHDX for quorum and csv and  then add back the network service again. Don't try to leave it as a network service in VMM and move the VM to another node. It will not work when failover.
  Best regards, Mark Scholman. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• NVGRE Gateway Security and Firewalls?

  Hi,
  I am setting up a Hyper-v NVGRE gateway on Windows Server 2012 R2. Now from what I have read the gateways have 3 NICs and one interface dedicated to public IP addresses, I haven't been able to find any information about how the gateways are secured.
  Can they be protected behind hardware firewalls?
  Are they already secured at the time of install out of the box?
  Do we have to use and configure the windows firewall on the gateway for protection?
  Any best practice out there, real like experience / examples or some documentation on this subject as I am struggling?
  Many thanks in advance.
  Microsoft Partner

  Hi,
  i have created some blogs on hyper-v.nu about nvgre gateway.
  My recommendation:
  Put the gateway Hyper-V host and GW VM's in a separate domain.
  Connect the GW VM's directly to internet.
  Enable the Windows Firewall. look after the Network Connection Profile as there are different rule sets for Private, Public and Domain rules. Make sure the external interface is marked as public profile. If you use the toolkit i created for GW deployment
  its configured for you.
  if your company policy doesn't allow to directly connect to the internet put firewall in front, but transparently, or create a public subnet behind that firewall so your GW VM's have public ip's.
  Only use inspection on traffic (IDS), don't block it, if you really need to, create a common allow list for regular ports. Otherwise tenants need to open service requests at your helpdesk to open ports if they want to publish application via a NAT
  rule.
  since you put the hosts and GW VM's in a separate domain you managed to separate it from your management domain, what is in my sense the best practice.
  Use 3th party NVGRE vendors like Boudewijn mentioned as BIG IP F5.
  Best regards, Mark Scholman. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Simulator Play/Stop/Forward chapter buttons

  This is probably the easiest of questions, figuring as such since I searched the forums and I don't see anything on it. I am new to DVDSP and can kind of find my way around, but need help on some things.
  I have a movie I have exported out of FCP with chapter markers as an m2v file with sound as ac3. Placed in DVDSP and then pointed each text item on the menu to go to the chapters and they work however when I use the Simulator, the play, stop, forward and back chapter buttons don't work.

  Answered.

• HELP!  Gateway stops accepting new connections

  Config: PS6.1 on Solaris 9 (Sparc), seperate gateway on Solaris 9 (Sparc) The PS6.1 was migrated from a PS3.0 installation, The machines are V240 with 2GB RAM and 4GB swap.
  I start the GW with: ./S43gateway -n default start debug
  Several minutes after startup (it varies from 1 to 40) I get the following message:
  Class Name: com.sun.portal.rproxy.rewriter.services.idsame.IDSAMEDataServiceStub04/02/2004 07:29:07:823 PM CST: Thread[Thread-14,5,main]
  ERROR: RemoteHandler : ERROR on remote machineAfter a while, something will trigger the following set of messages and that's when the gateway stops accepting new connections.
  ESessionMsg caught exception when reading:
  java.io.EOFException
          at java.io.DataInputStream.readFully(DataInputStream.java:153)
          at com.sun.portal.netlet.econnection.ESessionMsg.readMsg(ESessionMsg.java:24)
          at com.sun.portal.netlet.eproxy.EProxyConnection$ESessionThread.run(EProxyConnection.java:114)
          at com.sun.portal.util.ThreadPoolThread.run(GWThreadPool.java:109)
  java.lang.OutOfMemoryError
          <<no stack trace available>>The OutOfMemoryError will keep coming out for a while, why it stops, I don't know. When this does happen, the java process is only using about 220MB of RAM and only about 10 users are logged-in.
  This was working fine until we changed the IP of the gateway and moved its ethernet connection to "outside" the firewall. I re-installed the gateway software to make sure I didn't miss anything other than platform.conf. I have the webproxy enabled for the bookmarks channel and that is working. I have holes in the firewall for the proxy, LDAP and HTTPS ports.
  Any ideas?
  Thanks,
  Roger S.

  The gateway has to be tuned substantially to get good performance.
  The tuning needs to be based on your load
  e.g how many netlet connections, how many concurrent users you expected to handle etc ..
  the default min heap size and max heap size need to change it. You can go upto a max of 2 Gb but I would recommend starting with a smaller heap size of 500 M and see how your performance goes.
  The min and max heap size should always be the same for better performance. If your using netlets then you have to change the thread parameter. Each netlet connection uses two threads so if your using a large number of netlet connections then your thread count needs to 500 at a minimum to support 200 concurrent netlet sessions. Increasing the thread pool will also use more memory as each thread uses a min of 512 K of memory. The thread stack size needs to be set to 128 K.
  These are the initial things to start with, you can also set jvm option -verbose:gc to enable gc logs. This will show memory usage.
  These are good things to start with ..

• CCE 507 stops forwarding traffic to internet

  Our CE (which is our proxy server) constantly stops forwarding traffic to the internet. The engine does not freeze or lock up because I can telnet into it and reload and everything is fine then. This has starting happening in the last two weeks. The engine is integraded with Websense filtering. Could I be experiencing hardware issues? I did recently upgraded websense to the latest version and also upgraded the PIX 515 Firewall IOS to the latest. I am thinking maybe upgrade the IOS on the engine. Any guidance would be appreciated. Thanks in advance.

  Apparently the version of Websense that I was running was not making the CE very happy. I upgraded to a new version and ever since the problem has not arise. But I am having one issue with the CE. There is one website that generates errors when going through the CE proxy server. Although when bypassing the proxy server(CE), there are no errors generated. It is only when going through the proxy that the error is generated. The error does not reflect a Websense blocking page. So it only leads me to believe that the problem is on the CE. I would like to upgrade the IOS on the CE to the latest software in an effort to resolve this. If I upgrade, should I be aware of any problems with the configuration not working after the upgrade. The device is a CE 507 with software version 2.51. Any history on this type of problem? Any help would be appreciated. I have pasted the exact error generated from the site. Thanks again.
  Network Error
  The server yearbookavenue1.jostens.com returned an invalid response to your request for http://yearbookavenue1.jostens.com/cgi-bin/exe2004/year2004.exe?f_4194e967209

• 10/100 ports stop forwarding on Cat.4506 SupII Cat7.6.7

  On one location of our campus various 10/100 ports stop forwarding traffic after some time (port stays in notconnected state, sometimes with linkled on, sometimes off).
  This happens on various ports of both Cat.4506 systems on both line-card types:
  WS-X4232-GB-RJ
  WS-X4148-RJ
  We already replaced linecards, without succes.
  Does anyone know what's wrong ?

  Peter,
  You would probably have a better chance of getting a solution to this issue by posting on the LAN switching forum.
  Hope this helps,

• Gateway stop/start (lots of hanging connections)

  We noticed that when we do a gateway stop, we have to wait for a long time for connections to close to port 443. The gateway will only restart after ALL connections are gone. Verify by netstat -an|grep 443.
  I understand that these are non closed connections waiting for timeout. Is there an ndd setting for tuning this? If find it rather odd that daemons like apache are able to stop/start immediately. Or maybe this is java networking specific?

  Perhaps this is along the lines of what your looking for
  ndd /dev/tcp tcp_time_wait_interval I believe the tuning script changes this to 60,000, I've changed this to 30,000 (ms) with no ill effects, but this should release any "time_wait " sockets in 30 seconds, vs 60 seconds.. Might clean this up faster for you
  you should also monitor the server, before stopping/starting amserver to ensure all GW connections, netlet proxy and rewriter proxy ports are all closed too (10443, 10444, 10445) etc... (whatever you have defined on install)..
  Once netstat doesn't show any results back, you're safe to restart.
  Dave

• ASA appears to randomly stop forwarding/routing traffic

  Hi guys, got a curly one -
  Our ASA appears to randomly stop forwarding traffic between interfaces. Traffic does not forward for several minutes, then it starts again. After a while the traffic stops again for a few minutes, and the cycle repeats.
  If you are on a directly connected network you can still ping the ASAs local interface (I have ICMP turned on for testing). However you cannot ping the ASA from any remote network. I can ping or trace all the way up to the last hop without an issue. You also cannot ping across the ASA to servers on the other side, even from the immediate next hop (which as I mentioned above, still works) .
  This would appear to point to a routing problem? Strangely, routing still functions for the management network - I have had no problems reaching the command line from elsewhere in the network.
  Has anyone encountered something similar to this before?
  Relevent ASA configuration commands below:
  interface GigabitEthernet0/1
  description DMZ Trunk interface
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/1.220
  description F5 DMZ Internal
  vlan 220
  nameif DMZInternal
  security-level 50
  ip address 172.17.20.1 255.255.255.0 standby 172.17.20.2
  interface GigabitEthernet0/2
  nameif Internal
  security-level 100
  ip address 172.17.99.254 255.255.255.0 standby 172.17.99.253
  icmp permit any DMZInternal
  icmp permit any Internal
  route management 0.0.0.0 0.0.0.0 172.17.42.1 1
  route Internal 172.16.0.0 255.240.0.0 172.17.99.1 1
  EDIT: sorry forgot to post -
  #sh ver
  Cisco Adaptive Security Appliance Software Version 8.3(2)
  Device Manager Version 6.4(1)
  Compiled on Fri 30-Jul-10 17:49 by builders
  System image file is "disk0:/asa832-k8.bin"
  Config file at boot was "startup-config"

  Hi Dan - I suggest you ask this in the forum.
  hth
  Herbert

• Tenant Administrator can't connect VM Network to NVGRE Gateway.

  Tenant Administrator can't connect VM Network to NVGRE Gateway.
  Just no "Connectivity" tab in VM Network properties when connected to VMM as Tenant Administrator...
  Is it normal or a bug?

  Hi,  from PowerShell you should be able to add gateway to VM Network with the following command:
  Add-SCVMNetworkGateway -Name <String> -VMNetwork <VMNetwork>
  [-EnableBGP <Boolean> ]

• Hyper-V / NVGRE Gateways / SCVMM 2012 R2

  I am currently investigating the roll out of network virtualisation using Hyper-V, Windows Server gateway and SCVMM 2012 R2
  I have tested deploying a single WSG in a single datacentre and I can get VMs working with Network Virtualisation.
  I have a requirement to deploy network virtualisation in multiple datacentres so that I am able to amongst other things live migrate VMs between datacentres with next to no downtime.
  My question is what do I need to deploy to make this work?
  For example do I need a WSG in each datacentre and if so are they completely independent of one another or are they aware of one another?
  I understand that each datacentre will have its own provider address space but I'm assuming the customer VM network will be the same at each datacentre - this would mean the customer VM network gateway IP would be in two locations but does this matter
  if the provider addresses are different?
  Is there anyone who has experience configuring WSG / NVGRE at multiple sites who could give some useful tips?
  Thanks
  John. 

  Hi Kristian
  Thanks for getting back to me.
  BTW the NVGRE white paper is excellent so a big thank you!
  To answer your points:
  Will the PA network be routable - Yes, I'm assuming I would configure at least one routable PA network per Datacentre - I don't really want to be stretching networks across Datacentres?
  Will the hosts in the other datacenter be able to reach the hosts in the primary datacenter where the WSG servers are running -
  Yes
  I have now destroyed my lab environment and this might seem like a stupid question but the PA gateway address is located on my router and not the NVGW?
  Forgetting HA for a moment would you recommend deploying a NV Gateway per datacentre or is this over complicating things? For example if I live migrated a NV VM from DC1 to DC2 would it use DC2's NVGW for external access or will it still use
  DC1's?
  In my head it seems more straight forward to deploy a HA NVGW at one DC which is used by all other DCs and as you suggested use something like Hyper-V Replica. Do you know if this is supported
  Many Thanks
  John.

• Quantum Gateway Port Forwarding issues

  This post can be removed.... the port forwarding worked once I set it up under "Advanced Settings -> Network Settings ->Port Forwarding" instead of "Firewall -> Port Forwarding"
  Hello,
  I am having an issue setting up port forwarding.  I have made several attempts to make port forward TCP 8096, but it continues not to work.  I had it working with no problems at my with my old router before we moved so I know it's not an issue with my computer firewall or antivirus and MediaBrowser is working fine on the local network. Is anyone else experiencing Port Forwarding issues?  Also when will DMZ be enabled on this gateway?
  Any help would be apprciated. I'm trying to setup MediaBrowser so I can schedule recordings when i'm not at home.
  Thanks!
  Armyb77
  This post can be removed

  See kayster contribution here.
  SYNOLOGY DS214 - Remote access via BT Home Hub
  There are some useful help pages here, for BT Broadband customers only, on my personal website.
  BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones.