Friday, April 18, 2014

Windows 2003 IPSec error blocks all traffic

This happened to one of our windows 2003 VMs this week - it was patched and rebooted and came up with no network traffic being passed.

The team first looked to revert to the previous known good state - the central storage snapshots.
But as it turns out these restored snapshots also came up with no network being passed.

I removed the old VM network adapter (AMD) and replaced it with the newer Intel, updated the vmwaretools, several reboots in between, all to no effect (the adapter was up and "connected") but not passing any traffic - could not ping the default gateway.

Finally found a post leading us to check the System Event logs

And finding a VMware KB article confirming the resolution:

Disable the Windows 2003 IPSec service and reboot - voila, traffic now unblocked!

Hope this saves other folks some time to resolution!

Tuesday, April 8, 2014

ESXi 5.5 vulnerable to OpenSSL Heartbleed bug - 4/19 Patch Released

Today the existence of a serious bug in OpenSSL was revealed which allows an attacker to read the memory of your system including usernames, passwords, keys etc.

More information here:

This site will check a URL for the vulnerability: 

This command line tool also checks for the vulnerability- its a python script you can use inside your firewalled zones.

Our ESXi 5.5 build 1331820 servers have the vulnerability.
And fully patched ESXi 5.5  build 1623387 (as of 4/8) shows the vulnerability as well.
I've posted in the vmware forums asking about the ETA of a patch to fix this in our VI.

Update 4/9: VMWare has supplied a KB of products affected 

Update 4/19 - Patch Released:

Note: VMWare recommends updating vCenter before ESXi

VMware KB: Resolving OpenSSL Heartbleed for ESXi 5.5 - CVE-2014-0160

Confirmed the vulnerability is removed by this patch - folks should also cycle keys and update passwords

cd /etc/vmware/ssl
chmod +t rui.crt
chmod +t rui.key
passwd root