Guide on troubleshooting a vSAN witness communication.

This is a very short blog on a really good way I’d found to troubleshoot vSAN witness network issues (Firewalls basically!):

First SSH onto the the witness appliance and run the following commands (Note vmk1 was the vSAN interface, you might have this on vmk0):

tcpdump-uw -i vmk1

Next SSH onto an ESXI hosts your expecting to communicate with that witness appliance, run the following command

tcpdump-uw -i vmk5 | grep ***IP Address of the witness***

This is a screen shot of me running the two commands, Left is the ESXi hosts, right the witness (This is the best way to run the two commands)

It’s hard to see from the screenshots above as I’ve had to blank IP information out. however for me it was very easy to see that vSAN UDP traffic that was going out of vmk1 on the witness, then arriving on the VMK5 (Witness traffic separation) interface!

At first that wasn’t working, showing the firewall team this output in this way, demonstrated to them they’d missed a rule in one direction so the traffic was being dropped by the firewall. You could clearly see it being sent however never received.

Leave a Reply

Your email address will not be published. Required fields are marked *