NSX-T Hairpinning

Dr_Virt · ‎07-20-2022

Trying to find a resolution to traffic hairpins within our NSX-T deployment.

We host numerous environments for segmented customers. Each customer gets their own T0 and T1. Each T0 has public IP space attached to it. BGP makes everything seamless.

One of our customers raised an issue where they were testing one of their public web interfaces from a server within their environment. When testing, it was confirmed that the interface works internally (x.x.x.x) but not when using the public address (X.X.X.X). When tested from an external source, it works fine (X.X.X.X).

So, we have arrived at the point that the NSX-T T0 is having trouble with hairpinning / u-turn traffic. The Flow is similar to the below:

VM2 (10.10.x.y) > T1 > T0 (SNAT 1.1.X.Y) > T0 (DNAT 1.1.X.X) > T1 >VM1 (10.10.x.x)

All other traffic flows inbound and outbound work. It is only when the T0 has to route to itself on the external interface do we see issues.

ucdatasolutions · ‎09-15-2023

Ever get this resolved?

I have the same exact issue in the Azure VMWare Solution deployment of NSX-T

Dr_Virt · ‎09-15-2023

No, unfortunately not.

Sreec · ‎09-16-2023

Is there any specific reason why you configured NAT at T0? Why don't you use the T1 NAT policy?

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered

ucdatasolutions · ‎10-04-2023

I can't speak to the original poster. but in the AVS NSX-T that we have, we have NATs in the T1 and nothing at all works when trying to loop back to the inside.