The Deployment Bunny

OS Deployment, Virtualization, Microsoft based Infrastructure…

  • Archives

  • Meta

Archive for the ‘Fabric’ Category

Nice to Know – HP FlexFabric 10GB 2-port 534FLB Adapter can cause network issues using NVGRE

Posted by Mikael Nystrom on February 5, 2015

Today I was working at a customer site, setting up a NVGRE Gateway in a Fabric domain. Install, configuration, all went nice and smooth until we should test and verify that the VM’s could access the network, found a miss configuration and then, hey it was working, well TCP was working but NOT UDP, wtf??? Some troubleshooting (Google and Bing and some cursing) and it seems to be some various obscure things, some hotfixes but then we found something that actually worked…

The issue: Encapsulated Task Offloading

I’m pretty sure that the idea behind it is all good, but of course as all “great” things, it does not work in this combination.

imageimage
Here you can se the setting that needs to be disabled and you can also see the driver version and date that was in place.

The Solution: Disable it!

But, if you disable it on every hyper-v host (not only the hosts running the NVGRE gateway), it starts working. At the time we could not find any other solution then to disable it.

In this case the customer (and you know how you are) was kind enough to let me post the script that was used to disable this “amazing” technology.

image

or here in plain text form

$Nics = Get-NetAdapterAdvancedProperty -DisplayName “Encapsulated Task Offload”

foreach($Nic in $Nics)
{
Set-NetAdapterEncapsulatedPacketTaskOffload -Name $Nics.Name -EncapsulatedPacketTaskOffloadEnabled:$false
}

/Mike

Posted in Fabric, Hyper-V, SCVMM, System Center Configuration Manager 2012 R2 | Tagged: , , | Leave a Comment »

Beyond Supported – Azure Site-2-Site VPN (with physical router) behind a NAT device

Posted by Mikael Nystrom on February 2, 2015

Last week at TechXAzure I did 3 sessions, during on of them we did some demos around Azure Site-2-Site VPN which is the fundamental connection to create a Hybrid solution. In production that is not really a complex task since the firewall that is used is directly connected to the Internet with a static IP, but that is usually not the case when you play around at home or in the LAB. Running behind a NAT:ed device is not supported, neither is running the solution on a dynamically assign IP, but it works…

So, the idea behind this guide is to give a fairly simple step-by-step guide to build a site-2-site VPN connection to the Azure IaaS service for you to play with at home or in a LAB, just remember, there is NO support for this at all!

The design

Looking at the picture you can see that we basically have two networks, one for the normal traffic and one more that is behind a second router. Behind that network we have access to Azure directly. For me this is perfect when playing around. The “normal network act as the workload network, that is where all normal traffic exists. The network behind the second router act as the fabric network, here is where my Private Cloud cloud is running. Note, this is just for LAB, Testing, Playing and such things. You should not use this for production since it is unsupported.

Hardware:

The Internet facing router is a Linksys EA6900

The Internal router between the normal network and internal Azure Site-2-Site router is a NETGEAR FVS318N

image

Create Networks in Azure

Logon to your Azure Account and create the Local network

image
Select Local Network.

image
Give it a name and type in your Internet facing IP.

image
Type in the IP address range your are going to use behind the second router.

Logon to your Azure Account and create the Virtual network

image
Select to create a Custom network

image
Give the network a name and assign it to a Azure location.

image
Type in the DNS servers you are going to have locally on your network and select Site-2-Site VPN. Note: If you also select Point-2-Site you cannot create a Virtual Router in Azure that supports IKEv1, the router I’m using does not support it, it only supports IKEv1 and there for I cannot have Point-2-Site VPN.

image
Add the IP address range and gateway range for your virtual network in Azure.

Create the Router

When the network has been created you need to create the Virtual Router

image
In the Azure portal, click on the Virtual Network “FabricAzure” You can either create a Static or a Dynamic router and you need to select the version based on the router/firewall you have locally. In my case I use a NetGear FVS318N and the features in that router requires my to configure the virtual router as a static router.

image

This takes time, have lunch or something

image
Finally its done.

Configure the Internet facing Router

imageimage
To allow traffic from the Virtual Router in Azure to correctly receive data you need to redirect traffic, the easy way to do this is to use the DMZ function in the Internet facing router. This way, all traffic from that IP will be redirected to the second router.

Configure the second router on your network (not the Internet facing)

image

In this case it is a NETGEAR FVS318N and the easy thing is to run the Wizard for VPN and then modify the settings, but before you do that, we need the PreShared Key and you can get that in the Azure Portal.

image
Modify the IKE Policy in the Second router.

image
Modfy the VPN Policy in the second router

image

Wait, check logs, wait, check logs and…

image

/Happy Routing…

Posted in Azure, Fabric, IaaS, Site-2-Site, VPN | Tagged: , , , | 1 Comment »