Solved: Re: cURL HTTPS not working from NSX-T segment

LuisjaEve · ‎07-14-2022

Hi,

I am trying "curl https" from a VM connected to a NSX-T segment:

[root@test2-pro ~]# curl -v https://google.com
* About to connect() to google.com port 443 (#0)
* Trying 216.58.208.110...
* Connected to google.com (216.58.208.110) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS error -5961 (PR_CONNECT_RESET_ERROR)
* TCP connection reset by peer
* Closing connection 0
curl: (35) TCP connection reset by peer

If I connect this VM to a port group in vCenter (port group in the vDS I use for NSX-T), the same command works:

[root@test2-pro ~]# curl -v https://google.com
* About to connect() to google.com port 443 (#0)
* Trying 216.58.208.110...
* Connected to google.com (216.58.208.110) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=*.google.com
* start date: jun 27 08:17:39 2022 GMT
* expire date: sep 19 08:17:38 2022 GMT
* common name: *.google.com
* issuer: CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: google.com
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Location: https://www.google.com/
< Content-Type: text/html; charset=UTF-8
< Date: Thu, 14 Jul 2022 17:51:38 GMT
< Expires: Thu, 14 Jul 2022 17:51:38 GMT
< Cache-Control: private, max-age=2592000
< Server: gws
< Content-Length: 220
< X-XSS-Protection: 0
< X-Frame-Options: SAMEORIGIN
< Set-Cookie: CONSENT=PENDING+024; expires=Sat, 13-Jul-2024 17:51:38 GMT; path=/; domain=.google.com; Secure
< P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
< Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
<
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>
* Connection #0 to host google.com left intact
[root@test2-pro ~]#

I've tried linking the segment to a T1 router and a T0 directly and same error.

Any ideas?

Thanks.

rliu · ‎07-19-2022

It's likely due to the MTU issue on the overlay segment. Please make sure ESXi hosts and Edge TEP interface is set to 1600 minimum and L2 and L3 interfaces in the datapath MTU is also setup properly as Genève packets can't be fragmented.

You can run a ping test from ESXi host with the following command:

#ping ++netstack=vxlan -d -s 1572 -I vmk10 <destination host or destination edge TEP interface>

View solution in original post

rliu · ‎07-19-2022

It's likely due to the MTU issue on the overlay segment. Please make sure ESXi hosts and Edge TEP interface is set to 1600 minimum and L2 and L3 interfaces in the datapath MTU is also setup properly as Genève packets can't be fragmented.

You can run a ping test from ESXi host with the following command:

#ping ++netstack=vxlan -d -s 1572 -I vmk10 <destination host or destination edge TEP interface>

LuisjaEve · ‎07-19-2022

Hi rliu,

You are right.

vmk10 ping between ESXi host and edge nodes not working for 1600.

I've realized after this, edge nodes TEP interface in attached to a vDS with MTU 1500.

Thanks a lot for your help!!!

All

cURL HTTPS not working from NSX-T segment