ljhc
Contributor
Contributor

VM in NSX-T cant access public internet

Hi all,

Sorry if this is dumb question. I have setup a NSX-T 3.0 testing environment. one physical switch connect to hosts and one firewall, which connect to the public internet.

When the VM places in the NSX-T segment attached to edge, vm can ping the internet (e.g. google.com) but cant access via TCP (e.g. curl -v https://google.com). If the destination is inside the switch, such as https server in other physical VLAN, then the curl will be working. The VM in the physical VLAN can do all of them.

I have checked the firewall. Only default firewall rule is enabled and no extra gateway firewall and DFW are enabled. I have tried on different OS (Windows and CentOS), not working. I have tried L2 bridge on edge, still not working. Once the VM is in the NSX-T segment from Edge. It cant establish TCP to the public internet. Anyone can provide insight to troubleshoot the issue? Thank you in advance.

0 Kudos
4 Replies
shank89
Expert
Expert

I have seen some odd behaviour when MTU hasn't been set correctly.. have you ensured you have correctly configured it?
Have you checked your upstream firewall to see if any packets are being dropped?

Shashank Mohan

VCIX-NV 2022 | VCP-DCV2019 | CCNP Specialist

https://lab2prod.com.au
LinkedIn https://www.linkedin.com/in/shankmohan/
Twitter @ShankMohan
Author of NSX-T Logical Routing: https://link.springer.com/book/10.1007/978-1-4842-7458-3
0 Kudos
jobotte
Contributor
Contributor

I have seen this issue in the past, and it turned out to be an MTU issue. Try ping with a larger packet size. That may shed some light on the issue.

0 Kudos
ljhc
Contributor
Contributor

Thank you for replying.

Here is my attempt to test the ping with larger packet from VM in NSX segment.

Ping to other VM in same NSX-T segment or segment gateway: Ok with packet size 9000.

Ping to T0 Uplink interface IP and gateway: Failed with packet size 9000 but ok with under packet size 1414.

If I ping from SR of T0 gateway in Edge VM:

Ping to T0 Uplink interface IP and gateway: Ok with packet size 9000

I have tried to capture packet on T0 Uplink. No ping packet with size 9000 was captured and only packet with size 1414 could be captured.

I also tried to deploy new Edge VM and T0 gateway with uplink profile mtu 9000 and T0 Uplink interface mtu 9000. But still failed. Any more suggestion I can try?

0 Kudos
NetArcher
VMware Employee
VMware Employee

Hello,

   1. Hope you are using "Plan & Troubleshoot--->Traceflow" option to verify the connectivity. 

   2. Also manually try pinging the TEP of other Host & Edge Node using following command on ESXi host where problematic vm is deployed, if its not tried already

      vmkping ++netstack=vxlan -s 1572 -d x.x.x.x 

   3. As other folks mentioned this most likely us MTU problem, if all DFW,Edge Firewall & underlay transports is clean.

0 Kudos