We just deployed NSX in a test environment and created the following configuration (see image below). We are able to ping machines in different Logical Routers and ping up to the uplink interface of the Edge Gateway (192.168.1.3) from a VM, but we can't reach the 192.168.1.0/24 gateway which is the .1 address. From outside the NSX based network, we are able to ping down to the Edge Uplink, 192.168.1.3 but not deeper.
I have attached the network diagram as well as the edge gateway interface configuration.
NSX version 6.4.5
ESXi version 6.7.0
vCenter version 6.7.0.30000
Thanks in advance for your help.
How's the routing configured between the Edge and the upstream router at 192.168.1.1? Seems like an issue there.
This is the routing configuration for the Edge Gateway, no Static Routes Defined, nor any other option
Firewall config
You need to configure routing between the edge and the physical router. Otherwise the physical router does not know how to reach the networks behind the edge. Since you already got a default gateway on the Edge the easiest configuration would be to configure on the physical router a static route to the networks behind the Edge (on the diagram they could be summarized as 10.10.0.0/16 and 10.20.20.0/24) pointing to the edge's external IP (192.168.1.3). If this is a Cisco router the syntax would be:
ip route 10.10.0.0 255.255.0.0 192.168.1.3
ip route 10.20.20.0 255.255.255.0 192.168.1.3
One other thing that is important is to check routing between the DLR and the Edge. That might also need some routes, most probably on the Edge pointing to the DLR for the networks behind the DLR. On the DLR a default gateway would be enough.
I created an interface in the 192.168.1.0 network and created static routes as you adviced in it, but now the interface created when queried for a 10.20.20.0 network or one of the 10.10.0.0 networks just responds as the network is unreachable
Laptop outside NSX env
VM inside NSX env
Router interface
Can you please send the following info:
- ping and tracert from laptop to 192.168.1.3
- complete routing table of the router
Still seems that the router does not know how to get to the networks inside NSX-v.
and thats the complete routing table
this is the interface I had to create in order to allow the static routing, already checked with gateway as .3 and its the same result, forgot to mention rn the edge's gateway is .5
Now I am confused. What is the laptop's IP? Can you please draw a diagram that shows 192.168.1.1, 192.168.1.3 (this is the ESG) and 192.168.1.5 and how they are connected? What is the ESGs default gateway?
Seems like the problem is in your router, which looks to me has 2 IPs in the same network (that's very strange!). The tracert stopping at 192.168.1.5 shows that the router is not knowing where to send the packets it should send to the ESG.
This was my first approach, omitting networks below the edge to reduce complexity but its a DLR with 3 Logical Routers attached to it
This was the second approach, there was no other way to create the Static Routing
This is the third approach using an old router we had laying around, used the router diagnostic utility to create the ping and tracert tests, can ping to 192.168.1.3 but not deeper
Reviewing everything you sent I did not find the configuration of the Edge Firewall. It might be blocking there. To view it you need to access from the Flash client, as it does not show in the HTML 5 client. Can you check this?
It's active and open
Hi obecerril
i think the configuration of the EDGE and the DLR if you don't use dynamic routing should be as shown in the picture below.
Regards
LM
setting up the routes directly to the routes in windows (route -p ADD 10.10.0.0 MASK 255.255.0.0 192.168.1.3) seems to function, so the edge is correctly routing to the NSX infrastructure, but a VM in NSX is not able to reach the laptop nor any other device.
OK. I think that a step ahead as be done , now... be sure that Default GW on the EDGE is configured properly (you can also try, for test, configure the GW of the EDGE pointing to the laptop). Then let me know if you are able to reach the laptop trying to ping from the EDGE Gateway.
PS: I forgot, be also sure that no firewall be active on you laptop machine
Hello I am very interested in this case and a little bit confused [will read you replies again] but for now are you sure that your ESG is configured to point to the DLR for the 10 Networks?
Have you tried re-configuring the Networks to run any Dynamic Protocol such as OSPF let the NSX env stays in NSSA and the Physical Router to be a NSSA or totally NSSA to Auto.generate a default route ?
Yes, the ESG is configured to point to the DLR.
Recently I tested the OSPF protocol, but the physical router .1 is a verry basic model (ISP provided modem/router) and I tried using more advanced router .2 but this router does not support OSPF, and for some reason even with static routes configured on it the innter networks can't be reached
Opened an SSH session to the Edge and it can ping everything in the network but the 192.168.1.1
You still can configure OSPF between DLR and ESG and advertise a default route for the NSX env / for pysical world you may leave the static as it is pointing to the ESG
hi,
regardless of using dynamic routing or static routing, have you managed to solve?
if not, can you please tell us how many uplinks do you have the vDS?? and the in teaming and failover which kind of load balancing is set?? Have you tried to vmotion the Edge on another host??
Regards
LM