VMware Networking Community
vmware3222
Enthusiast
Enthusiast
‎07-11-2016 08:28 AM
Jump to solution

DLR ping fails

i use esxi 5.5 and nsx 6.1.4

and 4 physical machines

i have 2 sub net 192.168.0.0/24 and 192.168.10.0/24

i use 2 physical switch each one for 1 sub net but the switches are not connected

one cluster

ome controller

the all of esxi are connected to the 2 sub net with 2 pnic

1 VDS for the cluster

the vms are simply windows.iso just for simulate clients network

i have 4 windows vms

vm1 and vm 2 in esxi 3

vm3 and vm4 in esxi 4

vm1 and vm 3 in the network (10.1.0.0/24) connected to logical switch 1

vm2 in esxi 3 and vm 4 in esxi 4 connected to LS2 (10.2.0.0/24)

16GB in each machine

i use windows server 2012 r2 for AD and DNS

i congigured a DLR between LS1, LS" and transit LS

but the ping fails between VMS in different sub-net

Anay idea ?

0 Kudos
1 Solution

Accepted Solutions
cnrz
Expert
Expert
‎07-13-2016 11:00 AM
Jump to solution

For http access to vm through a public IP, DNAT (Destination NAT) is needed on the Edge Gateway ESG.

This article about DNAT section explains about the configuration steps. One Point to note is that for NAT Functionality firewall needs to be enabled and a firewall rule for the public address http needs to be entered.

http://www.routetocloud.com/2014/12/nsx-v-edge-nat/

DNAT_Sample.jpg

View solution in original post

0 Kudos
14 Replies
cnrz
Expert
Expert
‎07-11-2016 11:19 AM
Jump to solution

  • Can VM1 ping VM3, and VM2 ping VM4? (Same logical switch, different ESX hosts to check VTEP, ARP, MAC tables occur)
  • Can VM1 and VM2 ping their default gateway? (Possible to send the IP Address and Subnet Masks of VM1, VM2 and DLR LIF Interface?)
  • Could there be dFW Rule blocking ICMP between Logical Switch 1 and Logical Switch 2?

On the CLI of the NSX Manager SSH, DLR could be checked with the following commands: (Possible to send the output of below commands?)

These links may help on the output of logical-router commands on Central CLI of NSX Manager:

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=21452...

http://brettdrayton.com/vmware-nsx-6-2-central-cli-introduction/

show logical-router list all --> Lists all DLR instances with edge-id (This edge-id is used in the following commands)

show logical-router list dlr edge-id host --> Check on which hosts the DLR is installed. This should list bot ESXi3 and 4 with their host ids)


show logical-router controller controller-1 dlr edge-id interface --> Check the the Gateway IP Address of the VMs is seen by the controller. This command should give the Gateway IP of both LS1 and LS2.

show logical-router host host-id dlr edge-id  arp --> Check DLR ARP Table on ESXi3 and 4. The arp table should include VMs.


Check DLR instance and LIF exists on the host

  • Check DLR instances exist
    >show logical-router host host-id dlr all verbose --> if the DLR is installed on ESXi3 and ESXi4 (replacing host-ids of both ESX host on the show logical-router list dlr edge-id host command.) The DLR instance is a VIB Module, it should exist on both of the hosts)
    >show logical-router host host-id dlr all brief
  • Check LIF exists
    >show logical-router hosts host-id dlr edge-id interface all verbose
  • >show logical-router hosts host-id dlr edge-id interface all brief

Troubleshooting DLR routing issue  --> These commands not needed as both LS1 and LS2 connected to same DLR.

  • Check DLR routes and interfaces on the host
    >show logical-router host host-id dlr edge-id route
    >show logical-router host host-id dlr edge-id interface all verbose

vmware3222
Enthusiast
Enthusiast
‎07-11-2016 11:53 AM
Jump to solution

vm1 can ping vm3 and  vm2 can ping vm4

the vms can ping their GW and the GW the other VMS

i attached my diagrams physical and logical

i'm not sure of the  IPS between edge and LDR

I choose 192.168.10.0/24 the clients network

Preview file
223 KB
Preview file
57 KB
0 Kudos
cnrz
Expert
Expert
‎07-11-2016 12:33 PM
Jump to solution

From the diagram both LS1 and LS2 is connected to DLR, and VMs can ping the DLR.

Is it possible to send the outputs of the commands on the NSX Manager CLI?

On the diagram it shows a dFW rule, so could there be a firewall rule blocking ICMP?

0 Kudos
vmware3222
Enthusiast
Enthusiast
‎07-13-2016 04:03 AM
Jump to solution

the FW is disabled

0 Kudos
cnrz
Expert
Expert
‎07-13-2016 05:39 AM
Jump to solution

Is it the DLR Firewall, or the Distributed Firewall that  is disabled ? They are 2 seperate Firewalls,

DLR fW  is related to the packets coming to DLR Control VM itself, the dFW may be imporrtant in blocking ICMP even with DLR Firewall disabled.

Also the commands after SSH to NSX CLI may help to observe the View of the DLR and Controllers, because without these commands it is difficult to troubleshoot.

The DLR Firewall:

DLR_Control_VM_Firewall.jpg

Distributed Firewall:

Distributed_Firewall.jpg

0 Kudos
cnrz
Expert
Expert
‎07-13-2016 05:51 AM
Jump to solution

Also the status of the distrbuted Firewall may be observed as below: (By default it is enabled with default permit rule)

Installation > Host Preparation> Cluster

Distrbuted_Firewall_Enabled.jpg

0 Kudos
vmware3222
Enthusiast
Enthusiast
‎07-13-2016 06:07 AM
Jump to solution

this is the fw and dfw rules

and VMS ping all the DLR interfaces

Preview file
22 KB
Preview file
29 KB
0 Kudos
vmware3222
Enthusiast
Enthusiast
‎07-13-2016 06:07 AM
Jump to solution

fw

Preview file
22 KB
0 Kudos
vmware3222
Enthusiast
Enthusiast
‎07-13-2016 06:15 AM
Jump to solution

ah the network adapter of dlr vm are not connected to LS

how i can edit settings

0 Kudos
cnrz
Expert
Expert
‎07-13-2016 07:42 AM
Jump to solution

Firewalls seem ok, so this is probably related to the DLR Configuration.

DLR VM is responsible for Dynamic Routing updates to the VIB Modules. So It has one interface (Protocol IP Address) connected to the transport Vxlan between ESG and DLR.  During the configuration it is not connected to the VM LS1 or LS2.

The LS1 and LS2 gateway IP addresses reside on ESX1 and ESX2 VIB Modules Lif Interfaces, and they both have same IP and MAC addresses on both hosts.

LS1 and LS2 should be connected to the Lif interfaces of the DLR, when the DLR is edited are the IP addresses  of the Lif interfaces connected to Lifs?

http://www.routetocloud.com/2014/06/nsx-distributed-logical-router/

DLR_Lif_IP_Interfaces.jpg

Lif interfaces:

https://blogs.vmware.com/networkvirtualization/2013/11/distributed-virtual-and-physical-routing-in-v...

0 Kudos
vmware3222
Enthusiast
Enthusiast
‎07-13-2016 08:19 AM
Jump to solution

ok

i have the same configuration but for vms  I USE 10.1.0.0/24 and 10.2.0.0/24

i choose 192.168.10.2/29 for uplink interface

and the gateway 192.168.10.1

but the dlr is unable to ping the GW and VMS too

0 Kudos
vmware3222
Enthusiast
Enthusiast
‎07-13-2016 08:59 AM
Jump to solution

i'm very stupid it was the vm fw because the vm is windows

another question why i can connect to vms with a public ip using http

0 Kudos
cnrz
Expert
Expert
‎07-13-2016 11:00 AM
Jump to solution

For http access to vm through a public IP, DNAT (Destination NAT) is needed on the Edge Gateway ESG.

This article about DNAT section explains about the configuration steps. One Point to note is that for NAT Functionality firewall needs to be enabled and a firewall rule for the public address http needs to be entered.

http://www.routetocloud.com/2014/12/nsx-v-edge-nat/

DNAT_Sample.jpg

0 Kudos
vmware3222
Enthusiast
Enthusiast
‎07-13-2016 12:05 PM
Jump to solution

oh excellent this diagram thank you very much

and if the user pc is in service network i must have a physical router or a normal switch is suffisant ?

0 Kudos