Yes, this upset me so bad when I was trying to get it to work, but we finally figured out what the setting was. I'm using VSphere.
- You need to click on the name of ESX server itself (not one of the machines)
- Click on the Configuration tab
- Find the vSwitches that 'contain' the two interfaces of your firewall, click 'Properties' (so, you have to do all this twice on two different vSwitches)
- Click on the name of the PORT GROUP, NOT the vSwitch!
- Click Edit
- Click the Security tab
- Uncheck the box next to Promiscuous Mode
- Check the box next to Promiscuous Mode and change the dropdown to Accept
If you do this on the vSwitch itself (uncheck the box next to Reject) all the machines connected to it will start to see ALL the traffic on the switch. Firewalls connected to this vSwitch will start to RST packets that are not destined for them. You will lose connection to this ESX server then also because the firewall connected to the vSwitch will start to Deny all the VMware server traffic itself. Try not to do that :-).
Thank you for information, Could you please show me the screenshot of network config of ESX. I try set it up, it would work!
it's 1 vswitches or 2 vswitech?
Both of the port groups, so do this once for each vSwitch, but not for the vSwitch itself, only do it on the port group.