LukaszDziwisz
Hot Shot
Hot Shot

Microsoft Network Load Balancer on NSX-T

Hello Everyone,

 

I'm hoping that someone could offer some guidance with the issue we faced yesterday. So I have an application that has two front end web servers that are configured with VIP using Microsoft's NLB. It is s vendor requirement that we cannot discard. This application is currently running on my old vCenter 6.7 (no NSX) and is connected to distributed switch. In the physical environment we have added and arp statement and the static entry in mac address table as per best practices provided by Microsoft

Yesterday, I attempted to move this application to my new vCenter 7.0 with NSX-T installed. I have removed the SVI from physicals switches and migrated the application and connected to newly created segment (the same IPs). Also, removed the arp entry and static mac address table entry. The problem that came up is that I could ping individual hosts and access their web front end but could not either ping or access web over the VIP address. The only hosts that were able to ping the VIP are members of this cluster, even DB that lives on the same VLAN/Segment couldn't ping that IP. When running Traceroute I could get all the way to the gateway and getting host unreachable. 

Next thing I did is I disconnected the segment from my T1 and created VLAN backed segment and put my svi back on physical switch and added the arp entry back in its place but that didn't work either. Next I created regular portgroup on my VDS to mirror what is in my old vCenter and connected it to those server just to find out that it doesn't work either. After all of it, decided to move it back to my original vCenter and as soon as I connected it to the portgroup things are working normal. 

I'm very puzzled as of what is different or what is wrong with it. Definitely must migrate this application into new vCenter.

 

Any advise/help would be much appreciated,

Labels (2)
0 Kudos
7 Replies
CyberNils
Enthusiast
Enthusiast

0 Kudos
LukaszDziwisz
Hot Shot
Hot Shot

@CyberNils ,

Thank you for your response, I have tried your suggestion and followed the article and created new segment profile allowing MAC learning and it didn't work. Still able to communicate with the hosts themselves but not VIP

0 Kudos
CyberNils
Enthusiast
Enthusiast

Did you also enable MAC address change?



Nils Kristiansen
https://cybernils.net/
0 Kudos
LukaszDziwisz
Hot Shot
Hot Shot

@CyberNils,

 

Yes I did. Here are my settings for the segment profile

LukaszDziwisz_0-1622040577814.png

 

0 Kudos
CyberNils
Enthusiast
Enthusiast

0 Kudos
LukaszDziwisz
Hot Shot
Hot Shot

Unfortunately this didn't seem to help either. I ended up opening a ticket with VMware on it and was told that NSX-T doesn't support Unicast or Multicast NLB. They couldn't really provide me with an official document though.

Also, what is interesting is that even if I create a VLAN backed Segment  or even a portgroup through VDS this still doesn't seem to work. If I move my VMs back on vshpere 6.7 then everything is working as it should. 

LukaszDziwisz
Hot Shot
Hot Shot

So just to update everyone on the issue. VMware officially said that NSX-T doesn't support Microsoft NLB in both unicast and multicast modes.

As far as why it didn't work on vsphere 7 and non-nsx VDS switch with regular portgoups was due to the default setting in VDS 7 "IGMP/MLD Snooping"  for Multicast filtering mode.

https://kb.vmware.com/s/article/75217

 

So right now we have it connected to non-nsx VDS that only have management and vmotion portgroups on it and of course the NLB portgroup now and everything is working as expected.