Troubleshooting
In this chapter, you will see some of the issues that occur most frequently.
The serial number of virtual firewall is still VMSNSX00Z0000A0.
The firewall has not been activated. Refer to the chapter Activating the virtual SNS EVA firewall.
Some features on the virtual firewall are not available
Check the serial number of the firewall. If it is VMSNSX00Z0000A0, the firewall has not been activated. Refer to the chapter Activating the virtual SNS EVA firewall. If the firewall has already been activated, check the details of its license in its web administration interface in Configuration > System > License.
Issues arise on the vSphere hypervisor in high availability
You may occasionally encounter issues when attempting to connect remotely to a high availability cluster in the following architectures:
Firewalls hosted on the same ESX server and connected to vSwitches:
Firewalls hosted on two separate ESX servers and connected to vSwitches:
Firewalls hosted on two separate ESX servers and connected to dvSwitches:
Thanks to VMWare tools, the virtual switch (vSwitch/dvSwitch) automatically learns the MAC addresses of appliances connected to these ports.
Since both members of a SNS EVA firewall cluster have the same MAC address by default, when there are network packets for a particular MAC address, the virtual switch always sends them only to the firewall bearing this address regardless of its status in the cluster (active or passive). Therefore, if the virtual switch (vSwitch/dvSwitch) sends packets to the passive firewall, these packets will be automatically ignored.
The solution is to delete the MAC addresses imposed in the configuration of both firewalls. Perform this operation:
From the firewall's web administration interface:
-
Go to Configuration > Network > Interfaces, Advanced properties tab.
-
In the Physical (MAC) address field, delete all the custom MAC addresses for the network interfaces of virtual firewalls.
-
Apply changes.
In the firewall's system console:
- In the configuration file /usr/Firewall/ConfigFiles/network, delete all lines containing the entry "MacAddress=".
- Next, type the commands ennetwork and then hasync in order to apply these changes and synchronize the active firewall's configuration with the passive firewall's configuration.
Depending on the network devices connected to the firewalls, and mainly according to their set ARP timeout values, more time may be required to restore connections when the roles of the firewalls are changed within the cluster (active/passive).