some hosts can't access the internet nor the gateway which is my Zentyal server

[gopher49]

Is there a license/connection limit to Zentyal Community version?  The last two host added to my network can't access the internet nor can they ping the Zentyal inside interface.  They are able to talk to other hosts on other VLANs that Zentyal is doing the inter VLAN routing for.. but...  These two most recently added host cannot access the internet nor ping Zentyal. 

My config works like such...  I have 4 x virtual interfaces.  3 are tagged for their respective VLAN and the other is default VLAN.  I have 1 x outside interface that I use my public IPs... 

Why is it that my most two recent hosts cannot access the internet nor ping Zentyal?

[christian]

Why is it that my most two recent hosts cannot access the internet nor ping Zentyal?

It would be interesting that you add here inputs you made on your Asterisk related post in which you explain that if you stop some hosts then these new hosts can connect.

Either there is something really wrong somewhere or I'm going to definitely learn something interesting. Let me explain:
- I don't know what "stopping" host would mean. DHCP is not based on session. Are you facing limitation in term of number of lease because your range is too small ? Perhaps but if not, then once you have valid IP for your workstation, I can figure out what could prevent this workstation to ping its default gateway as if some licence limit was preventing it.

Thus in order to progress on this, I suggest you tell a bit more about your infrastructure. How many devices ? what is the addressing plan ? DHCP ? Are you facing same issue with fixed IP ? Well, anything that could help to understand better what this landscape is made of.

[half_life]

This looks like the best place to continue.  Christian you are prime.  I will kick in if we have to work on Asterisk after this is solved. 

[gopher49]

okay.. Here's where I am with this...  The Elastix/Asterisk install now works for I moved it in front of Zentyal.  It's NIC is plugged directly into the router.  So, Zentyal was causing the inbound call issue with my Asterisk box.  The exact error my carrier saw was a 408.  The FreePBX agent was giving them a 408 unauthorized error when sending me calls.  Now that I moved it in front of the Zentyal (directly into the router) it works.  A firewall blocking traffic would not result in a 408 from a FreePBX agent.  Also, my rules where correct.  So.. Either Zentyal's SIP server was sending the 408 or my server was.. But..  When at the console of my server while the 408 was being issued to the carrier the Asterisk console didn't show any inbound request.  It showed no transactions at all.  I was running it via verbose mode 'asterisk -vvvvvvvr'.  So..  Is it possible that Zentyal's SIP server was sending the 408 even though the module is not installed?  I looked for running processes but didn't see anything.  I have limited knowledge of Linux so what command should I run to see if Zentyal's SIP server is actually running in memory?

Now,

In regards to hosts not being able to access the internet... The 3 most recent hosts added to my network where being blocked access to the internet.  This is why I thought it was a license issue.  I could ping other hosts within it's VLAN.  And..  Hosts on other VLANs.. But... I could not ping the inside interface of Zentyal nor could I browser the internet.  Once I powered off a few hosts I was able to power on others and they could connect.  This also made me think it was a license issue for once hosts where off of the network (powered down and xlates/ARP cleared) the other hosts could then access the internet.  So, basically I powered down 2 x VMs and I was then able to power on and connect the laptop that previously was not getting internet access.  This also stands true for the other VM that had issues accessing the internet.  Below is my config. 

I have an Adtran router issues from the carrier with 5 useable IPs.  One is assigned to the Zentyal as an outside interface.  Two where assigned as virtual interfaces.  The other 2 where assigned directly to devices and skipped the Zentyal.  They plug directly into the Adtran. 

Now,

I have 4 x inside interfaces.  1 x is on the default VLAN.  The other three are tagged for VLAN traffic.  I use a third party DHCP server to issue IPs to all VLANS.

Now,

Each interface managed by Zentyal is connected to an ESXi vswitch.  The port used for the tagged inside interfaces is using a tagged vswitch port.  The other inside interface used for the default VLAN is plugged into an untagged vswitch port.   

[half_life]

SIP 408 is not issued as a response.  It is not "Unauthorized" ,  it is a "Timeout --  Couldn't find the user in time".  Still sounds network related.

To clear the details up a little more,  the Zentyal server is virtualized under ESXI and via a vswitch you are doing 3 tagged and 1 untagged vlans?  Can I assume that the asterisk system is on one of the tagged vlans?

Let's start over.  First, let's shutdown any running copy of asterisk that might be on your zentyal server.  From a command prompt on the Zentyal server type

Code: [Select]

sudo /etc/init.d/asterisk stop
sudo /etc/init.d/asterisk status

If all went well the second command should come back telling you that asterisk is not running. Now you absolutely can rule out another asterisk instance somehow being the culprit.

Next we need to run through all the networks and check basic connectivity.  I will let Christian jump in here.  Christian . . . 

[christian]

 
Well, I don't mind if you jump in and solve this network issue.
For the time being, I don't have any better idea than going back to the roots, having technical description of what this landscape is made of.

We have better idea at this stage but this is still not enough, at least for me, in order to really start having an idea.
I suppose it needs to go as low as IP address level to understand why with given amount of host running on network, Zentyal can be reached (ping) or not. IP conflict ? route issue ? I really don't know.

What is granted is that landscape is not that simple: DHCP server is not Zentyal  and we have multiple VLAN here.

[half_life]

What I am suggesting here is pinging from a machine on each vlan to:
1) Another machine on the same vlan.
2) Zentyal server.
3) internet.
And then the reverse where it makes sense.
To double check your port forwards temporarily change them one at a time to point to port 22 on your asterisk machine.  SSH into them like so  ssh root@192.168.0.1 -p 5060    where 192.168.0.1 is your Zentyal Wan IP address that is forwarding to your asterisk machine.  Make sure to put things back when you are done. 

The reason that I was handing off to Christian is that you two are on a much closer timezone.  I went to bed after the last post and am now getting ready for work.

[christian]

  
Don't worry, I do not intend to let you work alone on this 
Just waiting for gopher49 to come back to us with additional inputs