After setting up the DLR and ESG, the ESG can ping the DLR, however the DLR cannot ping the ESG.
I have an NSX 6.2.2 setup. I have the NSX Manager and Controllers in one cluster. The hosts that will use VXLAN are in their own Compute cluster.
I tried using VXLAN in a very simple setup with 2 virtual wire networks with no routing using static IPv4 addresses and it worked as expected.
I was then asked to use DHCP, so I had to set up a DLR and an ESG. I followed the NSX Installation Guide and the NSX Administration Guide in setting up the DLR and ESG. The DHCP would be on the ESG once everything else was working.
In my setup, the Transport Zone covers both the NSX management cluster and the compute cluster.
I have 2 VXLAN networks. Network 1 uses logical switch. Network 2 uses logical network 2. There is also the transit-network logical switch.
The DLR was set up with 3 interfaces:
Transit network - 188.8.131.52 (uplink) On interface vNic_2
Network 1 - 192.168.10.1 (internal) On VDR interface
Network 2 - 192.168.20.1 (internal) On VDR interface
The ESG is set up with 2 Interfaces:
Outside network - 172.29.5.175 (uplink - in dVS portgroup)
Transit network - 184.108.40.206 (internal) - default gateway for the DLR.
I have a small network so I plan on using static routing.
After setting this up, the ESG can ping the DLR, however the DLR cannot ping the ESG. The VM's on the 2 VXLAN networks can ping across their networks though the router. They can ping the Network 1 and network 2 interfaces on the DLR. They cannot ping the ESG. I disabled the firewall on the DLR and ESG and the problem persisted.
It seems that traffic gets stopped at the DLR and won't go either up to the ESG or down to the VM's.
In the diagrams for this type of setup in the install and admin guides, it shows the ESG internal link address, the DLR uplink address and a 3rd protocol address. I can't see in the instructions where this address is added. Do I have to add this after the DLR install?
I am in a test network testing with VXLAN. I don't have many physical servers that I can use. I have the 3-node cluster for NSX cluster with the NSX manager on server1 and the NSX controllers on servers 1,2 and 3. I put the DLR on server 2 and the ESG on server 3. Could this be causing the problems?
Thanks in advance.
Could you share the output of show ip route both from DLR Control VM and ESG?
You may not be able to ping from DLR Control VM, this is expected as per this KB
VMware KB: Unable to ping the virtual machines connected to the DLR internal interface from the control VM of a VMware NSX for vSphere 6.x distributed logical router (DLR)
If you want to use static routing, then you need to configure:
1. DLR: default route next hop 220.127.116.11
2. ESG: static route 192.168.10.0/24 next hop 18.104.22.168
3. ESG: static route 192.168.20.0/24 next hop 22.214.171.124
4. ESG: default route next hop 172.29.5.x
5. Outside network: static route 192.168.10.0/24 next hop 172.29.5.175
6. Outside network: static route 192.168.20.0/24 next hop 172.29.5.175
7. Outside network: static route 126.96.36.199/24 next hop 172.29.5.175
Thanks for your reply.
Attached are the routing tables for the DLR and ESG.
So as per the KB article mentioned, the DLR would not be able to ping the ESG even though they are on the same subnet?
BTW: the VM's on the 2 internal networks can't ping the ESG (188.8.131.52). The VM's can ping each other if they are on a different subnet and can ping the DLR address 184.108.40.206.
On my ESG the static routes are as follows:
192.168.10.0/24 next hop 220.127.116.11
192.168.20.0/24 next hop 18.104.22.168
When installing the ESG, I made the default gateway with the next hop as 172.29.0.10
On the DLR the static routes are as follows:
172.29.0.0/16 next hop 22.214.171.124
When installing the DLR, I made the default gateway as 126.96.36.199.
Would I put the static routes for the next hop of 172.29.5.175 on the ESG?