Proxmox 8 breaks nested ESXi vmxnet3 connectivity

[virtiocom]

Hi,

I had ESXi VMs on proxmox 7 working fine, but after upgrade to proxmox 8, the vmxnet3 vnics perform DHCP but I'm unable to ping them.

I tried to boot with 5.15.131-2 kernel but no difference.

Happened to anybody else?

Best regards.

 

[steveheart]

Hi @virtiocom,
I have a similar issue after upgrading from 8.0.4 to 8.1. See here.

Don't have DHCP in use, but something changed, but I couldn't find out what exactly.

 

[horcy]

I have the same issue: I can ping from external connections, but other hosts within the same Proxmox environment cannot be pinged. Additionally, there seem to be various connectivity anomalies both internally and externally.

 

[Casulo]

Any solution for this?

 

[LnxBil]

Can you try to explain what the problems actually are? What is pinged from where and things like that.

We use VMware ESXi 8 in PVE 8.2.7 with vmxnet3 without any network problems. It just works like previous versions of VMware ESXi worked.

 

[Casulo]

Can you try to explain what the problems actually are? What is pinged from where and things like that.

We use VMware ESXi 8 in PVE 8.2.7 with vmxnet3 without any network problems. It just works like previous versions of VMware ESXi worked.

Sure.

Proxmox 8.2.9 with these guests:
Debian12
esxi

esxi version is 7.0U3n-21930508.

Debian12 > esxi (vmxnet3) = No ping, ssh or web in to it, just no access whatsoever. However it can access VMs on the esxi just fine.
Other machines outside that proxmox > esxi1 (vmxnet3) = everything works without problems. Including accessing VMs on that esxi.

I have tried turning on/off promiscuous mode, forged transmits and MAC changes. Same result.
Now here is the witchery.

Debian12 > esxi (e1000e) = Everything works. Sending speed could be faster tough.

Debian12 > Some VM inside esxi (e1000e) = Can ping it, but stuff like ssh, curl and openssl is very strange:

root@debian /root $ ssh 192.168.0.222
kex_exchange_identification: banner line contains invalid characters
banner exchange: Connection to 192.168.0.222 port 22: invalid format
root@debian /root $

root@debian /root $ curl -k https://192.168.0.222/api
curl: (35) OpenSSL/3.0.15: error:0A00010B:SSL routines::wrong version number
root@debian /root $

Actually i troubleshooted these commands for hours thinking it was some openssl/python module issue. Till i tried from another machine. Doing the same commands on a machine outside proxmox, works fine. Strange isn't it? No VLANs, no firewall active.

Oh, i think i installed some intel vib on the esxi iso in order to have more intel cards working.

My conclusion, something definitely funky going on with the vmxnet3 and e1000e virtual nics.

 

[LnxBil]

root@debian /root $ ssh 192.168.0.222
kex_exchange_identification: banner line contains invalid characters
banner exchange: Connection to 192.168.0.222 port 22: invalid format

That sounds very intereresting. Have you checked what is the actual output of the banner is? e.g.via telnet or tcpdump/wireshark?

Besides that, I have no clue what could be wrong there besides having some strange PVE firewall glitch. Is the firewall completly disabled in PVE or just not activated on the PVE and the guest trying to access?

 

[Casulo]

Firewall is disabled. This does not happen with e1000e. Even with some ansible modules, that use some kind of ssl, this will happen, always some error.

Also, the rest of my network, will have some funky behaviour. I have checked verbose from ssh and curl, tcpdump as well. There is bidirectional communication. Interesting indeed. I guess the only way to avoid all of this is to get a usb net adapter and map it to esxi, with the usb nic vib fling loaded of course.