I am currently trying to debug an NSX-T deployment that has my service deployment installed on it. While I can get my solution to work on multiple test beds in house, I am trying to determine why it fails to work on a "live" deployment.
Is there documentation somewhere that shows how I can inspect the service segment and at least see some kind of stats that shows traffic is being mirrored as expected from my policy rules? I'm trying to figure out where along the line my configuration has gone wrong. How do I confirm NSXT is indeed mirroring packets to my service segment? Can I snoop the port of my service VM somehow to see traffic on the "wire"? Is this type of debugging documented somewhere?
Thanks,
So, this was for EW traffic, however I have determined that my issue was related to the global service status was set to disabled. Specifically:
GET https://<NSXT_MANAGER>/api/v1/serviceinsertion/status/east_west
{
"context": "east_west",
"global_status": "DISABLED",
"resource_type": "ServiceInsertionStatus",
"id": "<snip>",
"display_name": "status",
"tags": [
{
"scope": "policyPath",
"tag": "/infra/settings/service-insertion/security/status"
}
],
"_create_user": "system",
"_create_time": 1629753046766,
"_last_modified_user": "system",
"_last_modified_time": 1631922757481,
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_revision": 2
}
I'm told this is the default since NSXT 2.5.1. However, I find that this is the first time I've seen this after deploying multiple versions of NSXT 3+ in my labs. Does not seem to be documented in the nsxt administrator guide either. Only that you might consider setting it to disabled should you have problems on uninstall. Thanks,
I haven't tried service chaining in sometime, but there is a port mirroring option that may work for you?
I'm fairly certain you cannot setup a mirror to either the service segment nor the service deployment NFV. At least not from the NSXT Gui. Are you aware of a way to do this operation?
Sorry my apologies!
Although you can packet capture on the logical router interfaces (service link ports), have you tried that? start capture interface <uuid>
Hi
When you say fail to install; Is it EW or N/S?
Is your Tier in A/A or A/S in case of N/S SVM?
If it fails immediately to install, did you check your vCenter eam-service?
Simplest way is you can packet capture or tcpdump
So, this was for EW traffic, however I have determined that my issue was related to the global service status was set to disabled. Specifically:
GET https://<NSXT_MANAGER>/api/v1/serviceinsertion/status/east_west
{
"context": "east_west",
"global_status": "DISABLED",
"resource_type": "ServiceInsertionStatus",
"id": "<snip>",
"display_name": "status",
"tags": [
{
"scope": "policyPath",
"tag": "/infra/settings/service-insertion/security/status"
}
],
"_create_user": "system",
"_create_time": 1629753046766,
"_last_modified_user": "system",
"_last_modified_time": 1631922757481,
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_revision": 2
}
I'm told this is the default since NSXT 2.5.1. However, I find that this is the first time I've seen this after deploying multiple versions of NSXT 3+ in my labs. Does not seem to be documented in the nsxt administrator guide either. Only that you might consider setting it to disabled should you have problems on uninstall. Thanks,
Having figured this out - I still realize I don't have a good way to test inspection services to ensure packets are in fact being processed according to chain rules and making it to the service VM's port. Would be nice to know how best to do that.
Hi,
> Adding to pcap and tcpdump from inside the SVM
There are multiple ways
Currently I can memorize that you can run
vsipioctl getfows -f <Type the SI dvfiler name here>
You can see the rule ID being matched/hit in Edge syslog and/or dfw esxi logs I think for EW will be in dfw log and NS will be in edge syslog [that one I am not 100% sure - so don't take it I will see it my lab]
Please don't hesitate to ask further & More