ESXi access from VMKernel network different from Management one

For a series of coincidences and after several tests I realized that in vSphere 6.x (but I would say also in 5.x) there is a curious case of backdoor of services without one having enabled them. In my case, as a client starts an SSH or management connection to ESXi host from Management VMkernel network interface if the client is on the same TCP/IP Address of another VMKernel portgroup (VMotion, FT but not Management type) the ESXi host VMkernel tries to reply from that interface. The result is that no connection could be established because of the first one remains in RCVD status.

So, every kind of VMkernel port group created in the default TCP/IP stack of ESXi host "magically" becomes management by enabling SSH access (if service is started & firewall open), TCP 902 for management, powercli access and so on.

The problem in addition to these unsafe and unwanted accesses by those who administer it, are also dangerous for a form of asymmetric routing that the VMKernel starts to do when it is in a condition as in the figure:

The only way to stop accessing from VMkernel port group is to set VMotion, FT in VMotion TCP/IP Stack.

ESXi management on network

192.168.195.114 from vswitch0 with dedicated vmnic0

VMotion network

192.168.208.155 from vswitch1 with dedicated vmnic1

SIM SALA BIM!

But what about vSphere Replication?

Same issue on Replication Network , where management has not been enabled

Davide Sitta

Solution Architect & Technical Account Manager

@-mail: d.sitta@lutech.it

Please recycle in case of obsolescence