VMware Networking Community
jrich2017
Contributor
Contributor
‎09-21-2021 07:32 AM
Jump to solution

NSX-T 3.1 Debugging Service Chains or Service Segments

I am currently trying to debug an NSX-T deployment that has my service deployment installed on it.  While I can get my solution to work on multiple test beds in house, I am trying to determine why it fails to work on a "live" deployment.

Is there documentation somewhere that shows how I can inspect the service segment and at least see some kind of stats that shows traffic is being mirrored as expected from my policy rules?   I'm trying to figure out where along the line my configuration has gone wrong.  How do I confirm NSXT is indeed mirroring packets to my service segment?  Can I snoop the port of my service VM somehow to see traffic on the "wire"?  Is this type of debugging documented somewhere?

Thanks,

Labels (1)
Labels

  • h

0 Kudos
1 Solution

Accepted Solutions
jrich2017
Contributor
Contributor
‎09-25-2021 06:07 PM
Jump to solution

So, this was for EW traffic, however I have determined that my issue was related to the global service status was set to disabled.  Specifically: 

GET https://<NSXT_MANAGER>/api/v1/serviceinsertion/status/east_west

{

    "context": "east_west",

    "global_status": "DISABLED",

    "resource_type": "ServiceInsertionStatus",

    "id": "<snip>",

    "display_name": "status",

    "tags": [

        {

            "scope": "policyPath",

            "tag": "/infra/settings/service-insertion/security/status"

        }

    ],

    "_create_user": "system",

    "_create_time": 1629753046766,

    "_last_modified_user": "system",

    "_last_modified_time": 1631922757481,

    "_system_owned": false,

    "_protection": "NOT_PROTECTED",

    "_revision": 2

}

 

I'm told this is the default since NSXT 2.5.1.  However, I find that this is the first time I've seen this after deploying multiple versions of NSXT 3+ in my labs.   Does not seem to be documented in the nsxt administrator guide either.  Only that you might consider setting it to disabled should you have problems on uninstall.  Thanks,

View solution in original post

0 Kudos
8 Replies
shank89
Expert
Expert
‎09-21-2021 02:16 PM
Jump to solution

I haven't tried service chaining in sometime, but there is a port mirroring option that may work for you?

Shashank Mohan

VCIX-NV 2022 | VCP-DCV2019 | CCNP Specialist

https://lab2prod.com.au
LinkedIn https://www.linkedin.com/in/shankmohan/
Twitter @ShankMohan
Author of NSX-T Logical Routing: https://link.springer.com/book/10.1007/978-1-4842-7458-3
0 Kudos
jrich2017
Contributor
Contributor
‎09-21-2021 04:05 PM
Jump to solution

I'm fairly certain you cannot setup a mirror to either the service segment nor the service deployment NFV.   At least not from the NSXT Gui.  Are you aware of a way to do this operation?  

0 Kudos
shank89
Expert
Expert
‎09-21-2021 04:49 PM
Jump to solution

Sorry my apologies!

 

Although you can packet capture on the logical router interfaces (service link ports), have you tried that? start capture interface <uuid>

Shashank Mohan

VCIX-NV 2022 | VCP-DCV2019 | CCNP Specialist

https://lab2prod.com.au
LinkedIn https://www.linkedin.com/in/shankmohan/
Twitter @ShankMohan
Author of NSX-T Logical Routing: https://link.springer.com/book/10.1007/978-1-4842-7458-3
0 Kudos
SrVMoussa
VMware Employee
VMware Employee
‎09-25-2021 05:36 PM
Jump to solution

Hi 

 

When you say fail to install; Is it EW or N/S? 

Is your Tier in A/A or A/S in case of N/S SVM? 

 

If it fails immediately to install, did you check your vCenter eam-service? 

 

 

 

Simplest way is you can packet capture or tcpdump 

Regards,
Khalid Moussa
0 Kudos
jrich2017
Contributor
Contributor
‎09-25-2021 06:07 PM
Jump to solution

So, this was for EW traffic, however I have determined that my issue was related to the global service status was set to disabled.  Specifically: 

GET https://<NSXT_MANAGER>/api/v1/serviceinsertion/status/east_west

{

    "context": "east_west",

    "global_status": "DISABLED",

    "resource_type": "ServiceInsertionStatus",

    "id": "<snip>",

    "display_name": "status",

    "tags": [

        {

            "scope": "policyPath",

            "tag": "/infra/settings/service-insertion/security/status"

        }

    ],

    "_create_user": "system",

    "_create_time": 1629753046766,

    "_last_modified_user": "system",

    "_last_modified_time": 1631922757481,

    "_system_owned": false,

    "_protection": "NOT_PROTECTED",

    "_revision": 2

}

 

I'm told this is the default since NSXT 2.5.1.  However, I find that this is the first time I've seen this after deploying multiple versions of NSXT 3+ in my labs.   Does not seem to be documented in the nsxt administrator guide either.  Only that you might consider setting it to disabled should you have problems on uninstall.  Thanks,

0 Kudos
jrich2017
Contributor
Contributor
‎09-25-2021 06:08 PM
Jump to solution

Having figured this out - I still realize I don't have a good way to test inspection services to ensure packets are in fact being processed according to chain rules and making it to the service VM's port.   Would be nice to know how best to do that.

0 Kudos
SrVMoussa
VMware Employee
VMware Employee
‎09-26-2021 03:31 PM
Jump to solution

Hi,

 

> Adding to pcap and tcpdump from inside the SVM

There are multiple ways

Currently I can memorize that you can run 

vsipioctl getfows -f <Type the SI dvfiler name here>

You can see the rule ID being matched/hit in Edge syslog and/or dfw esxi logs I think for EW will be in dfw log and NS will be in edge syslog [that one I am not 100% sure - so don't take it I will see it my lab]

 

 

Regards,
Khalid Moussa
0 Kudos
SrVMoussa
VMware Employee
VMware Employee
‎09-26-2021 03:35 PM
Jump to solution

Please don't hesitate to ask further & More 

 

 

Regards,
Khalid Moussa
0 Kudos