Hyper-V Setup won't work on another host

[Wizard]

I've setup 2 different VPN Servers in 2 different environments. Seems the way I do that doesn't work when you move that VM to another host afterwards. I create a VM, give it 2 network adapters. 1 for LAN, MAC spoofing enabled, connected to a Virtual SET Switch on the Host, another for VPN, MAC spoofing enabled, conected to a Virtual Private Switch (meaning, can only communicate with other VMs on that host). in SoftEther, I setup 2 Hubs, 1 LANBridge, local bridged to LAN adapter, 1 VPN, local bridged to VPN adapter. I run DHCP binded only to VPN adapter.
DHCP is serving 10.241.0.1-10.241.0.200, no gateway, no dns, push route 192.168.30.0/255.255.255.0/10.241.0.254.
LAN has 192.168.30.239, VPN has no IP, nothing binded to it except softether lightweight Network Protocol.
Any client connects to hub VPN, gets an IP from DHCP, eg. 10.241.0.1, no gateway, no DNS, but gets a route pushed 192.168.30.0/24->10.241.0.254
In SoftEther, got a L3 Router, with 192.168.30.253/24 bridged to LANBridge, 10.241.0.254/24 bridged to VPN. Servers I want accessible from VPN get static route 10.241.0.0/24->192.168.30.253.
This really works perfectly like a charm. I've got a similar setup but then clustered, 2x VPN members similar to above, 1x Controller only with L3 Router. That too works perfectly.
Sadly though everything breaks as soon as I move this VM (or one of the clustered VMs) to another host. Even though that other host also have exact same Virtual SET Switch, including the Private Switch. This doesn't matter whether I move the VM, create a Replica and do a failover, or just Live migrate the VM. Result is a none functional VPN Server. I notice that the LAN-side of L3Router becomes unavailable in the network, eg. I can ping 192.168.30.253 only from the VM itself or from the host hosting the VM, but not from anywhere else. I take it if MAC Spoofing was not enabled on the NICs from the replica, this would be the result, but MAC spoofing is enabled. Even the physical switch the hosts are connected to gets the LANSide L3Router IP 192.168.30.253's MAC updated pointing to the new switch port from the now new host hosting the VM (after failover/move/migrate). THis suggests MAC spoofing is working. Nevertheless, because the IP is nog available on the network, ofcourse the entire VPN doesn't work anymore since no return traffic gets routed back to VPN.

Weird thing is now, afeter move/migrate/failover:
I try to figure out what's causing this, but literally nothing works/helps:
Break down all Local bridges, removing the VM's NICs, replacing them with new, building local bridges back, doesn't help.
Break down L3 Router, creating a new one, doesn't help.
Break down entire config, local bridges, L3 Router, both Hubs, creating everything new. Doesn't help. Problem remains.
Move the VM back to original host, everything works again, no problem.
To me, this means the problem is external to the VM/SoftEther, but I can't figure out what. Moreover because even the physcial switch gets MAC-table updated after the failover/move/migrate...

In short, local bridging seems to somehow break if a Hyper-V VM and you move that VM to another host somehow ?

[solo]

The Following are the instructions for configuring Microsoft Hyper-V machines to use a static MAC
address. By following this procedure many software applications will not expire when virtual
machines are moved from one physical host to another.

https://solution-soft.com/sites/default ... ddress.pdf

[Wizard]

Hi Solo,

I tried using Static MAC on the VMs, next to MAC spoofing, but didn't help. I'll try again to make sure...

[Wizard]

Nope, Static Mac on the NICs doesn't help this...
As soon as I run the VM from any other Server than the original where I created it, this part "with 192.168.30.253/24 bridged to LANBridge" from the config above stops working... A physical switch gets the updated MAC in its MAC table, pointing to switchport which has the Hyper-V server connected which is running the VM after failover... So it looks like it should work, but a ping to 192.168.30.253 simply doesn't anywhere in the network, except on the Hyper-V Server which is now hosting the VM (and in the VM itself ofcourse)...
Breaking down anything of this setup and rebuiding it doesn't change anything. What can then be going on ?
The effect is like MAC Spoofing doesn't work for the NIC connected to LANBridge. Turning that off and back on trying to "reset" it doesn't help either.
Is this a known thing, perhaps a Hyper-V bug that's going on here which is why this is not working ?
Haiving a "cluster" setup with SoftEther, relying on the clustering of it's parent for redundancy is useless if this doesn't work from any other Host in the MS Failover-cluster...

[solo]

On your original and working VM do disable MAC Address Spoofing (yes, you read it right), reboot and then copy it to the new host. Now enable MAC Address Spoofing there.

?

[Wizard]

Hi Solo,

No difference:
- ping 192.168.30.253 works from some server outside the Hyper-V host on the network
- Disable MAC spoofing, ofcourse, ping then immediately fails
- Reboot SoftEther Server, no change (ofcourse)
- Shutdown SoftEther, Failover to Replica (which has MAC spoofing disabled)
- Starting Replica SoftEther VM, ping still does not work
- Enabling MAC Spoofing on Replica VM NICs, ping still doesn't work
- Rebooting Server to -retry ping, no change, ping doesn't work
- Shutdown Replica, Failover back to original VM
- Ping doesn't work
- Re-enable MAC Spoofing: ping works immediately

PS: I said I had 2 setups, the other being a cluster. Testing there gives the same result, pinging the 192.168.0.40 (LANBridge-side of L3 Router) works until I move the VM, either Live move or shutdown and restart on another host, it's all the same, the only workable situation seems to be from the original host. Static MACs or not don't make a difference.
I think it might have to do with the 2nd Hyper-V Switch which is Host-only, but that was actually done by design for a reason. Even though that is the "other side", the "VPN side", not the "LAN"-Side... Still, it might be the problem so I'm gonna do some tests with a new default setup, not as "complicated" as these ones (being 2 hubs with L3 in between for seperation/split tunneling)...

[Wizard]

This is just weird...

I've started from scratch, with the simplest:
- One Host Hyper-V 2019, has 1 SET Switch
- 1 VM, installed SoftEther, vNIC MAC Spoofing, Static MAC
- Configured SoftEther: 1 Hub, 1 User, Nothing else, 1 Local Bridge to LAN NIC

Result from Client:
- Works, I get IP from Firewall-DHCP, and I can ping/connect anything in LAN
- Disconnect

Created a Hyper-V Replica from this VM to another physical Host, Hyper-V 2019, has 1 SET Switch, and then Failed over the VM
So now, it runs on different Host with same Static MAC, MAC Spoofing enabled

Result from Client:
- Seems to work, I get IP from DHCP, but I cannot ping or connect anything in the network <- note now I do get an IP, the same IP as beginning

On Client, I create a new VPN Adapter (so, client now has different MAC), then Connect

Result from Client:
- Does not work, don't get any IP, cannot ping/connect anything. Firewall did receive the DHCP request and send an offer back. Physical switch also got it's Mac table updated to correct switchport for correct Host where VM is at. So seems the underlying Hyper-V SET Switch on new Host is not co-operating here. I can verify that MAC Spoofing works on the vNIC because DHCP request gets sent to firewall, firewall sends offer back, but that just never arrives back in the VM... Disabling MAC Spoofing, then Client Connect and no DHCP request arrives at firewall.

in VM:
- Replaced Local Bridge, doesn't help
- Replaced NIC from VM (so, new different MAC, MAC Spoofing still enabled, and now then this new MAC static for the VM), doesn't help
- Removed entire softEther, re-installed, reconfigured the same as beginning, doesn't work

Just whatever I try, can't get this simple thing to work from one VM running on one or another Host...
Either this is a bug in SoftEther, or a bug in Hyper-V 2019 or I'm just missing some fundamental networking understanding ?

[Wizard]

Also, arp-tables on firewall, switch, host, vm update correctly, the only thing where I can't see arp-table is on the Virtual Hyper-V SET Switch...
I have a powershell-script to check duplicate MACs on everything in the network, hosts, VMs, and there's garanteed no duplicate MAC anywhere...
Static MAC or not isn't the problem either because, even the MAC changes when you turn off the VM and then failvoer, or move it, then turn back on, things stop working. Compare with leaving the VM on and running, just live migrating it between hosts, which means it keeps the same MACs in use, no difference, things stop working after migrate is complete...

I really need this to work to be able to provide some form of redundancy if the VM (SoftEther Cluster) or Host (Hyper-V Failover Clustering) fails. Question for me now, can and should this work or should I try a different Hypervisor since it doesn't seem to work with Hyper-V ?

[Wizard]

It looks like I found the issue:
Eventlog reports this when you "reset" the Hyper-V Virtual Switch:

Port D6E48A29-9B85-4937-AB73-9451A4DFB6F7 (Friendly Name: Dynamic Ethernet Switch Port) has MAC address spoofing enabled. This is not supported on the associated switch BE3F9680-F1EB-47AF-929D-3C5E96786524 (Friendly Name: vSwitch) because IOV is enabled. Traffic with a spoofed MAC address will not function properly.

So, creating a Virtual Switch with parameter EnableIOV $true creates a switch that is SRIOV Capable. While that's great in itself, it seems you then cannot have MAC Spoofing support...

Will test and report here to see if this turns out to be the issue or not...

[solo]

Please post as code from the second (backup) VM host (not from VM itself).

Code: Select all

ipconfig /all
arp -a
PS> Get-NetAdapter | Format-List -Property ifAlias,InterfaceDescription,PromiscuousMode

[Wizard]

Hi Solo,

As I posted here above, most of my Hosts are having Virtual Switches with IOV enabled, but exacly the one I created the VM on didn't, so the that might actually still be the cause. I will do my re-tests on servers with VMSwitches without IOV to see if the VM then can successfully roam between them without things breaking... To answer your request:
This is from second host (backup host). LAN is 192.168.30.0/24, IP from my remote softether-client is 192.168.30.123, which you can see in the arp -a because pinging that IP from this host works (back into the VM over softether software to my cremote client)...
Pinging that IP from any other remote host doesn't work however, even though MAC table in the physical switch connecting both hosts is showing correct ( -> port 1, which is connected to pLAN1 down here which is part of a vSwitch "vLAN (vSwitch)" which has IOV Enabled...
I'll post again when I found the time to replicate/test and re-test without IOV enabled. Thanx

PS C:\> ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : CC01
Primary Dns Suffix . . . . . . . : enter.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : enter.local

Ethernet adapter vSMB (vSMBSwitch):

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #2
Physical Address. . . . . . . . . : 00-15-5D-1E-51-12
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::29b9:4f8e:8c2a:419b%3(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.5.11(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 50337117
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-26-DB-52-34-E0-3F-49-D6-22-3F
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter vLAN (vSwitch):

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter
Physical Address. . . . . . . . . : 00-15-5D-1E-51-09
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::5bea:74a3:51bf:a8b%13(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.30.11(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.30.254
DHCPv6 IAID . . . . . . . . . . . : 218109277
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-26-DB-52-34-E0-3F-49-D6-22-3F
DNS Servers . . . . . . . . . . . : 192.168.30.1
192.168.30.2
NetBIOS over Tcpip. . . . . . . . : Disabled
PS C:\> arp -a

Interface: 192.168.5.11 --- 0x3
Internet Address Physical Address Type
192.168.5.2 00-15-5d-d2-94-08 dynamic
192.168.5.12 00-15-5d-d2-94-05 dynamic
224.0.0.2 01-00-5e-00-00-02 static
224.0.0.7 01-00-5e-00-00-07 static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.113 01-00-5e-00-00-71 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
224.0.1.75 01-00-5e-00-01-4b static
229.111.112.12 01-00-5e-6f-70-0c static
239.254.127.63 01-00-5e-7e-7f-3f static
239.255.102.18 01-00-5e-7f-66-12 static
239.255.255.250 01-00-5e-7f-ff-fa static
239.255.255.253 01-00-5e-7f-ff-fd static
239.255.255.255 01-00-5e-7f-ff-ff static

Interface: 192.168.30.11 --- 0xd
Internet Address Physical Address Type
172.31.51.34 00-ae-32-21-ac-3d dynamic
172.31.179.222 00-ae-b2-dd-53-a2 dynamic
192.168.30.1 00-15-5d-1e-56-24 dynamic
192.168.30.2 00-15-5d-d2-94-06 dynamic
192.168.30.3 00-15-5d-1e-56-02 dynamic
192.168.30.40 00-15-5d-1e-56-25 dynamic
192.168.30.75 12-44-34-4e-6f-c6 dynamic
192.168.30.85 0e-25-67-15-59-41 dynamic
192.168.30.87 76-a5-b7-8a-ec-c1 dynamic
192.168.30.123 5e-60-4a-d8-6f-b0 dynamic
192.168.30.189 0c-c4-7a-39-38-be dynamic
192.168.30.245 00-15-5d-1e-56-1f dynamic
192.168.30.254 ac-71-2e-f6-1a-07 dynamic
224.0.0.2 01-00-5e-00-00-02 static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.113 01-00-5e-00-00-71 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
229.111.112.12 01-00-5e-6f-70-0c static
239.254.127.63 01-00-5e-7e-7f-3f static
239.255.255.250 01-00-5e-7f-ff-fa static
PS C:\> Get-NetAdapter | Format-List -Property ifAlias,InterfaceDescription,PromiscuousMode


ifAlias : pSMB2
InterfaceDescription : Mellanox ConnectX-3 Pro Ethernet Adapter
PromiscuousMode : False

ifAlias : vLAN (vSwitch)
InterfaceDescription : Hyper-V Virtual Ethernet Adapter
PromiscuousMode : True

ifAlias : pCG2
InterfaceDescription : Intel(R) I350 Gigabit Network Connection #3
PromiscuousMode : True

ifAlias : pSMB1
InterfaceDescription : Mellanox ConnectX-3 Pro Ethernet Adapter #2
PromiscuousMode : False

ifAlias : pLAN2
InterfaceDescription : Intel(R) I350 Gigabit Network Connection #2
PromiscuousMode : False

ifAlias : pLAN1
InterfaceDescription : Intel(R) I350 Gigabit Network Connection
PromiscuousMode : False

ifAlias : pCG01
InterfaceDescription : Intel(R) I350 Gigabit Network Connection #4
PromiscuousMode : True

ifAlias : vSMB (vSMBSwitch)
InterfaceDescription : Hyper-V Virtual Ethernet Adapter #2
PromiscuousMode : True

[solo]

I'll post again when I found the time to replicate/test and re-test without Promiscuous enabled. Thanx

Promiscuous mode is essential. It seems that if you remove both Mellanox ConnectX-3 and Intel(R) I350, and test it out on the NIC from original host, the problem will go away.

[Wizard]

Hi Solo,

Yes, I understand, and that's why it doesn't work because the Virtual Switch has IOV enabled which doesn't support MAC Spoofing as pointed out in the Event from Eventlog I posted...

I've now tested it between 2 hosts which have a Virtual Switch WITHOUT IOV enabled, and it works. Client VPN connected, I can connect anything in LAN, I leave Client connected, just stop the VM, failover to other Host, start the VM, and Client simply reconnects and everything still works...

This was a real PITA to troubleshoot, but at least now we know, Hyper-V Virtual Switches supporting SRIOV can't do MAC Spoofing, which therefore can be an issue from WIndows Server 2016, where they introduced SET Switches. Since an "old fashioned" LBFO-Team is completely software-based, that might work aswell, even with SRIOV Enabled, but don't know as I haven't tested that, but might be a workaround for people which have SRIOV as a requirement in their environment.

Thankx for the assist