VMware Networking Community
RaymundoEC
VMware Employee
VMware Employee

ESXi prepared with NSX vibs blocking VM's?

hi there fellows,

Just wonder where to find a clue about a problem with a customer that I have, the scenario is that NSX seems to be blocking in some way the functions of a VM's which is a Red Hat and a native LB on it, the ESXi hosts where those VM's run are prepared and just prepared with the vibs of NSX, so since it seems pretty weird, there some NSX hatters that are suggesting some failure is nsx, so I want to find if someone has experienced something similar.

thanks in advance for any help

+vRay
Tags (2)
Reply
0 Kudos
3 Replies
tanurkov
Enthusiast
Enthusiast

HI

to confirm the issue ,

please put your VM in exclusion list in NSX and check connectivity again.

Thanks

Dmitri

Reply
0 Kudos
aakalan
Enthusiast
Enthusiast

I saw some cases without any rule active NSX distributed firewall blocked some traffic. Could you please try to disable firewall and check it again?

Reply
0 Kudos
cnrz
Expert
Expert

NSX Flow Monitor Live Flow  could show if the flow to or from the VM is blocked or permitted, and by which Firewall rule. It is also possible to filter source or destination IPs, and could give clue about the TCP flow is established or blocked, and if packets are reaching to the VM.

Flow_Monitor_Live_Flow.png

http://bradhedlund.com/2013/11/04/vmware-nsx-convergence-and-reforming-operational-visibility-for-th...

VMware NSX for vSphere provides a built-in tool, Live Flow monitoring (above), which allows you to simply pick any virtual machine’s network interface and see (in real-time) a summary of all flows and their state. You can see a complete breakdown of all the flows at that VM, including the direction of each flow, the number of bytes and packets per flow, the firewall rule each flow was permitted through, IP addresses and port numbers, and the state of each connection. There are no additional steps required. There’s no need configure full packet captures to a remote tool and sifting through IP addresses looking for your VM. For the simple task of targeted network traffic visibility, VMware NSX offers a simple tool.

http://vcrooky.com/2017/08/nsx-monitor-analyze-virtual-machine-traffic-flow-monitoring/

Similarly Traceflow would show the hops and if blocked at which point.

http://blog.jgriffiths.org/greatest-tool-for-nsx/

http://www.kovarus.com/blog/network-troubleshooting-nsx-traceflow/

http://bayupw.blogspot.com/2016/12/troubleshoot-nsx-dfw-distributed.html

For more detailed, tcpdump is also possible at the VM level from the NSX side, which whould show if the packets reach to the VM, or from the VM to the NSX dFW or dVS. The same capture is also possible if the packets are reaching to DLR, ESG, or going to t or coming from he External Physical Network.

https://avillargarea.wordpress.com/2016/11/23/vm-packet-tracing-from-nsx-manager-cli/

http://fastclouds.net/blog/2015/10/08/nsx-traceflow-tool-for-troubleshooting-virtual-network-configu...

Log Insight NSX Dashboard, ARM (Application Rule Manager) or VRNI (Vrealize Network Insight) could help about the flows showing if blocked or permitted by which rule

Reply
0 Kudos