Strange (to me) problem

[tfk917]

I have something very funky is going on here. I must be missing something obvious but I cannot find it. I cannot seem to access systems across subnets from Linux boxes only. I'm testing from a Debian and a Ubuntu server.

Access from 172.16.0.x on 10.40.10.10 Windows – OK
Access from 172.16.0.x on 10.40.10.10 Linux – OK
Access from 10.10.10.x to 10.40.10.10 on Windows – OK
Access from 10.10.10.x on 10.40.10.10 Linux – Doesn't work

All of the network access/routing is being done on a Sonicwall NSA240, not that I think it matters here.

Thinking this through I know that there is route from 172.16.0.x since I have connectivity from both types of systems. I also have to accept that there is a route from 10.10.10.x from 10.40.10.x because windows systems can get there. The Linux systems simply will not make it.

I cleared the counters on the firewall and attempted a ping from the 10.10.10.x Linux box and saw transmit activity on the rule, but not receive. Which means the Linux box on 10.10.10.x is sending the packets. It seems that the systems on the 10.40.10.x network are either not receiving the request or aren’t responding.

Taking it a step further I know that the default gateway on the 10.10.10.1 network is forwarding requests because all systems can ping the gateway and hit the internet.

In this particular situation all of these systems are virtual hosted on a VMware ESXi 5.0 host.

I tried to provide as much information as I thought was relevant but if there more that will help please let me know.

[tfk917]

More information. On my target machine, 10.40.10.10 I did a TCPDUMP ICMP and sent the ping from my 10.10.10.x Linux system. 10.40.10.10 received and replied to the ICMP request, but its not making it back to the 10.10.10.x Linux system.

[manyrootsofallevil]

More information. On my target machine, 10.40.10.10 I did a TCPDUMP ICMP and sent the ping from my 10.10.10.x Linux system. 10.40.10.10 received and replied to the ICMP request, but its not making it back to the 10.10.10.x Linux system.

it might be helpful to trace a route rather than use ping.

[tfk917]

I have. It shows the last responding hop as the gateway. However due to TCPDUMP I know it's getting beyond that.

[cnamejj]

One question to clarify something that's bugging me... If all these systems are VM's on the same VMware ESXi 5.0 host, how is the firewall device even seeing the packets? Are you routing packet in/out of the VMware host through an external firewall device?

[tfk917]

Same host stack, different networking. The network isolation requirements are mandated by a project constraint. Essentially the servers have dedicated NICs going to two physical switch stacks.