obecerril
Enthusiast
Enthusiast

Not able to reach in or out NSX based networks

We just deployed NSX in a test environment and created the following configuration (see image below). We are able to ping machines in different Logical Routers and ping up to the uplink interface of the Edge Gateway (192.168.1.3) from a VM, but we can't reach the 192.168.1.0/24 gateway which is the .1 address. From outside the NSX based network, we are able to ping down to the Edge Uplink, 192.168.1.3 but not deeper.

I have attached the network diagram as well as the edge gateway interface configuration.

NSX version 6.4.5

ESXi version 6.7.0

vCenter version 6.7.0.30000

Thanks in advance for your help.

nsx-diagram.jpg

pastedImage_1.png

Tags (1)
20 Replies
mauricioamorim
VMware Employee
VMware Employee

How's the routing configured between the Edge and the upstream router at 192.168.1.1? Seems like an issue there.

0 Kudos
obecerril
Enthusiast
Enthusiast

This is the routing configuration for the Edge Gateway, no Static Routes Defined, nor any other option

pastedImage_0.png

Firewall config

pastedImage_1.png

0 Kudos
mauricioamorim
VMware Employee
VMware Employee

You need to configure routing between the edge and the physical router. Otherwise the physical router does not know how to reach the networks behind the edge. Since you already got a default gateway on the Edge the easiest configuration would be to configure on the physical router a static route to the networks behind the Edge (on the diagram they could be summarized as 10.10.0.0/16 and 10.20.20.0/24) pointing to the edge's external IP (192.168.1.3). If this is a Cisco router the syntax would be:

ip route 10.10.0.0 255.255.0.0 192.168.1.3

ip route 10.20.20.0 255.255.255.0 192.168.1.3

One other thing that is important is to check routing between the DLR and the Edge. That might also need some routes, most probably on the Edge pointing to the DLR for the networks behind the DLR. On the DLR a default gateway would be enough.

0 Kudos
obecerril
Enthusiast
Enthusiast

I created an interface in the 192.168.1.0 network and created static routes as you adviced in it, but now the interface created when queried for a 10.20.20.0 network or one of the 10.10.0.0 networks just responds as the network is unreachable

Laptop outside NSX env

pastedImage_0.png

pastedImage_3.png

VM inside NSX env

pastedImage_2.png

Router interface

pastedImage_1.png

0 Kudos
mauricioamorim
VMware Employee
VMware Employee

Can you please send the following info:

- ping and tracert from laptop to 192.168.1.3

- complete routing table of the router

Still seems that the router does not know how to get to the networks inside NSX-v.

0 Kudos
obecerril
Enthusiast
Enthusiast

pastedImage_0.png

and thats the complete routing table

pastedImage_1.png

this is the interface I had to create in order to allow the static routing, already checked with gateway as .3 and its the same result, forgot to mention rn the edge's gateway is .5

pastedImage_2.png

0 Kudos
mauricioamorim
VMware Employee
VMware Employee

Now I am confused. What is the laptop's IP? Can you please draw a diagram that shows 192.168.1.1, 192.168.1.3 (this is the ESG) and 192.168.1.5 and how they are connected? What is the ESGs default gateway?

Seems like the problem is in your router, which looks to me has 2 IPs in the same network (that's very strange!). The tracert stopping at 192.168.1.5 shows that the router is not knowing where to send the packets it should send to the ESG.

0 Kudos
obecerril
Enthusiast
Enthusiast

This was my first approach, omitting networks below the edge to reduce complexity but its a DLR with 3 Logical Routers attached to it

pastedImage_0.png

This was the second approach, there was no other way to create the Static Routing

pastedImage_2.png

This is the third approach using an old router we had laying around, used the router diagnostic utility to create the ping and tracert tests, can ping to 192.168.1.3 but not deeper

pastedImage_3.png

pastedImage_4.png

pastedImage_5.png

0 Kudos
mauricioamorim
VMware Employee
VMware Employee

Reviewing everything you sent I did not find the configuration of the Edge Firewall. It might be blocking there. To view it you need to access from the Flash client, as it does not show in the HTML 5 client. Can you check this?

0 Kudos
obecerril
Enthusiast
Enthusiast

It's active and open

pastedImage_0.png

0 Kudos
lmoglie
Enthusiast
Enthusiast

Hi obecerril

i think the configuration of the EDGE and the DLR if you don't use dynamic routing should be as shown in the picture below.

pastedImage_3.png

Regards

LM

0 Kudos
obecerril
Enthusiast
Enthusiast

setting up the routes directly to the routes in windows (route -p ADD 10.10.0.0 MASK 255.255.0.0 192.168.1.3) seems to function, so the edge is correctly routing to the NSX infrastructure, but a VM in NSX is not able to reach the laptop nor any other device.

pastedImage_0.png

0 Kudos
lmoglie
Enthusiast
Enthusiast

OK. I think that a step ahead as be done  Smiley Happy, now... be sure that Default GW on the EDGE is configured properly (you can also try, for test, configure the GW of the EDGE pointing to the laptop). Then let  me know if you are able to reach the laptop trying to ping from the EDGE Gateway.

0 Kudos
lmoglie
Enthusiast
Enthusiast

PS: I forgot, be also sure that no firewall be active on you laptop machine

0 Kudos
SrVMwarer
Hot Shot
Hot Shot

Hello I am very interested in this case and a little bit confused [will read you replies again] but for now are you sure that your ESG is configured to point to the DLR for the 10 Networks?

Have you tried re-configuring the Networks to run any Dynamic Protocol such as OSPF let the NSX env stays in NSSA and the Physical Router to be a NSSA or totally NSSA to Auto.generate a default route ?

Regards, İlyas
obecerril
Enthusiast
Enthusiast

Yes, the ESG is configured to point to the DLR.

Recently I tested the OSPF protocol, but the physical router .1 is a verry basic model (ISP provided modem/router) and I tried using more advanced router .2 but this router does not support OSPF, and for some reason even with static routes configured on it the innter networks can't be reached

0 Kudos
obecerril
Enthusiast
Enthusiast

Opened an SSH session to the Edge and it can ping everything in the network but the 192.168.1.1

0 Kudos
SrVMwarer
Hot Shot
Hot Shot

You still can configure OSPF between DLR and ESG and advertise a default route for the NSX env / for pysical world you may leave the static as it is pointing to the ESG

Regards, İlyas
0 Kudos
lmoglie
Enthusiast
Enthusiast

hi,

regardless of using dynamic routing or static routing, have you managed to solve?

if not, can you please tell us how many uplinks do you have the vDS?? and the in teaming and failover which kind of load balancing is set??  Have you tried to vmotion the Edge on another host??

Regards

LM

0 Kudos