Some Virtual Canary customers experience a situation where their bird is happily online at first, but goes offline after the first settings push. If you're running a VMware ESXi-based virtualisation environment, this is most likely due to two settings on the virtual switch.
In this page we'll discuss the root cause, and two solutions.
There are two important MAC addresses pertinent to your Virtual Canary, the "hardware" MAC address assigned by VMware to your virtual NIC, and the "canary" MAC which is modified by the Canary after it has booted.
These two MAC addresses are the same when the Virtual Canary boots for the first time. However, once you select a device profile (such as a Cisco router), the "canary" MAC address changes. When the VM reboots, the "hardware" MAC address assigned by VMware now differs from the "canary" MAC address actually used by the VM.
VMware's virtual switches (vSwitches) include two important settings under their security properties, Forged transmits and MAC Address Changes:
If either of these are set to "Reject" on the Virtual Canary's vSwitch, then a mismatch between the "hardware" MAC and the "canary" MAC will cause VMware to silently discard the packets.
By default, customers with Virtual Canaries will not be able to change the MAC addresses of their virtual birds through the Canary Console. This default ensures that birds aren't accidentally taken offline.
If you'd prefer to have this enabled please contact support to have this option unlocked on your console.
However, if you are willing to make changes to your VMware environment, then the alternative solution will be to simply specify the MAC addresses at will within your hypervisor.
The solution with the most flexibility is to set both these policies on the Virtual Canary's vSwitch to "Accept":
- Forged transmits
- MAC address changes
After changing the policies and saving, reboot the Virtual Canary for the network interface to be initialised correctly.
If you do not wish to change your ESXI settings globally, you can fix this per-device.
NB! Change the settings as you require and take note of the new MAC address.
After saving the device settings, the device will reboot. Once it comes online, it won't be able to check into the console. This is also an opportunity to double check the MAC address by logging in and going to the "System Information" page
Shut down the VM. Once it is off, edit the VM settings and change the MAC address for the interface to match the one you've configured.
Note that this will need to be done every time that you change the MAC address through the settings page on your console. Any discrepancy between the MAC address in the VM settings and on the bird itself will cause all traffic to be dropped.