Solved: NSXT Tier-1 wont route traffic

RobertKeysight · ‎02-13-2024

Hello,

I have created a setup with 2 segments, Segment1 with subnet 192.168.1.1/24 and Segment2 with subnet 192.168.2.1/24, to each segment I have connected 2 vms from 2 different servers, ping within the segment but on different servers works as example machine1 192.168.1.100 can reach machine2 192.168.1.101, also true for Segment2 machine3 192.168.2.100 can reach machine3 192.168.2.101, I have created a tier 1 gateway in order to send traffic from segment one to segment two. Lets say i want to ping from machine2(192.168.1.101) to machine4(192.168.2.101) and it does not work from my machines.

This is the configuration on my segments and Tier1:

Also when I do a traffic analysis between machine2 and machine4 everything looks good I get delivered and no errors.

I dont understand why traffic analysis shows as everything is alright but I cant ping from machine2 to machine4.

Has someone encountered this issue before? Or has any idea how to solve this?

DanielKrieger · ‎02-15-2024

your default gateway is on the wrong interface.

its not an nsx problem.

create a static route for your management on ens 33 and the default route to the nsx segment on ens34

----------------------------------------------------------------------
My Blog: https://evoila.com/blog/author/danielkrieger/

View solution in original post

chandrakm · ‎02-13-2024

Thats strange. Hope you configured gateways properly on VM's and VM's are not dropping ICMP on OS firewall side.

Can you please move all these 4 VM's to one ESX host(just to ruleout MTU issues) and use TRACEFLOW tool to test PING traffic between VM's between different segments? and send the screenshot?

Cheers,
Chandra | 2xVCIX | CCIE | TOGAF
Please KUDO helpful posts and mark the thread as solved if answered

RobertKeysight · ‎02-14-2024

It works between different machine but on the same segment so it is not a issue between the servers, even on the same machine but with different segments it does not work, the issue is with the routing but I dont know what it is 😞

jchilton · ‎02-14-2024

Have you checked Route Advertisement - that all connected segments is checked?

RobertKeysight · ‎02-14-2024

If this is what you are referring to than yeah

DanielKrieger · ‎02-14-2024

Can you do a Traceflow (Select Plan & Troubleshoot > Traffic Analysis > Traceflow > Get Started.)

https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/administration/GUID-0771969B-A897-4FD0-AEE3-...

Selcet the vms as source and destination and show the result.

----------------------------------------------------------------------
My Blog: https://evoila.com/blog/author/danielkrieger/

lmoglie · ‎02-15-2024

Hi, have you tried to move all your VMs on the same server and verify if VMs of the Segment1 can reach VMs on the Segment2??

RobertKeysight · ‎02-15-2024

I did and from traceflow everything seems ok 😞

DanielKrieger · ‎02-15-2024

He writes that he can ping VMs in the same segment across servers, so the tunnels between the transport nodes should be OK.

----------------------------------------------------------------------
My Blog: https://evoila.com/blog/author/danielkrieger/

RobertKeysight · ‎02-15-2024

Even if they are on the same server if there are different segments I cant reach them, but if vms are on different servers but same segment they can comunicate.

RobertKeysight · ‎02-15-2024

Yes but from the Vms does not work, from both sides.

DanielKrieger · ‎02-15-2024

Silly question, maybe a local firewall on the VM?
Can you reach all segment IPs from all VMs?
Looks to me like a routing problem on the VM, since the traffic works in the same segment.

----------------------------------------------------------------------
My Blog: https://evoila.com/blog/author/danielkrieger/

RobertKeysight · ‎02-15-2024

From vm1 I can only reach its network 192.168.1.1, not the other network 192.168.2.1. I dont know of any firewall configured how do I check on the vm?

DanielKrieger · ‎02-15-2024

What OS is it?

What is your default gateway?

----------------------------------------------------------------------
My Blog: https://evoila.com/blog/author/danielkrieger/

RobertKeysight · ‎02-15-2024

I have linux sever 22.0.4 and it haves two networks a managemenet one with 10.38.x.x and the second interface is connected to the segment 192.168.1.101(I added the ip to this interface)

DanielKrieger · ‎02-15-2024

can you print the output of the route table from the vm?

you have simple type route at the ssh session

----------------------------------------------------------------------
My Blog: https://evoila.com/blog/author/danielkrieger/

lmoglie · ‎02-15-2024

I think that the default GW is set on the management network and not on the 192.168.1.101

try the following:

# ip route list

and post the outcomes.

DanielKrieger · ‎02-15-2024

If you have 2 interfaces, you should create a static route for the management and set the default gateway for the other adapter to the nsx segment.

----------------------------------------------------------------------
My Blog: https://evoila.com/blog/author/danielkrieger/

RobertKeysight · ‎02-15-2024

ens33 is management and ens34 is the one connected to segment1

DanielKrieger · ‎02-15-2024

your default gateway is on the wrong interface.

its not an nsx problem.

create a static route for your management on ens 33 and the default route to the nsx segment on ens34

----------------------------------------------------------------------
My Blog: https://evoila.com/blog/author/danielkrieger/

All

NSXT Tier-1 wont route traffic