VMware NSX

Hi.

I am a bit stuck in a problem I cannot find a solution for. I have a installation of NSX-T just upgraded 4.2.1 (would see if that fixed the issue) where overlay segments are not able to reach random certain IP segments in a more or less random order.

I am trying to reach two major news sites here in Denmark www . eb . dk and www . bt . dk. But for some reason the first one cannot be reached from an overlay segment, but only from a VLAN backed segment. I have tried to do a traceroute from a VM that is located on a overlay segment behind a T1 and T0, no DFW or GW FW is active:

traceroute to www.bt.dk (23.199.75.121), 30 hops max, 60 byte packets
 1  _gateway (10.123.1.1)  0.532 ms  0.511 ms * 
 2  100.64.0.2 (100.64.0.2)  0.478 ms  0.465 ms  11.601 ms
 3  192.168.5.1 (192.168.5.1)  1.091 ms  0.971 ms  0.937 ms
 4  192.168.1.1 (192.168.1.1)  0.619 ms  0.709 ms  0.686 ms
 5  85.184.163.1.static.dhcp.aura-net.dk (85.184.163.1)  3.089 ms  3.055 ms  3.036 ms

I stopped stopped the traceroute at my outside GW as it look ok, traffic os going out. But for the second one:

traceroute to www.eb.dk (151.101.129.91), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  *

Nothing happens, does not looks like the traffic is even reaching the first hop. 

A tcpdump from the traceroute gives this output:

10:11:42.298774 IP webserver.kiefer.dk.60663 > ad2019.kiefer.dk.domain: 12420+ A? www.eb.dk. (27)
10:11:42.298793 IP webserver.kiefer.dk.60663 > ad2019.kiefer.dk.domain: 32136+ AAAA? www.eb.dk. (27)
10:11:42.300383 IP ad2019.kiefer.dk.domain > webserver.kiefer.dk.60663: 32136 0/1/0 (112)
10:11:42.315090 IP ad2019.kiefer.dk.domain > webserver.kiefer.dk.60663: 12420 4/0/0 A 151.101.129.91, A 151.101.193.91, A 151.101.65.91, A 151.101.1.91 (91)
10:11:42.315551 IP webserver.kiefer.dk.39299 > 151.101.129.91.traceroute: UDP, length 32
10:11:42.315583 IP webserver.kiefer.dk.45587 > 151.101.129.91.33435: UDP, length 32
10:11:42.315609 IP webserver.kiefer.dk.36913 > 151.101.129.91.33436: UDP, length 32
10:11:42.315633 IP webserver.kiefer.dk.48438 > 151.101.129.91.33437: UDP, length 32

No reponse from anything. 

When going out from a VLAN backed segment, (this is from a Windows PC, but the outcome is the same):

C:\Users\labadmin>tracert www.eb.dk

Tracing route to www.eb.dk [151.101.65.91]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  10.0.0.254
  2    <1 ms    <1 ms    <1 ms  192.168.1.1
  3     4 ms     2 ms     3 ms  85.184.163.1.static.dhcp.aura-net.dk [85.184.163.1]

I have tried to redeploy the edges, I have tried to upgrade NSX-T to latest version, I have deleted and recreated the T1 and T0 and I have tried several different setting in segment profiles. Nothing changes, I cannot reach this sites.

You could say what does it matter, that a news site is unreachable, not much, bit it does gets to be a bit of a hassle when a site like raw.githubusercontent.com is unreachable as well. 

So ANY ideas on a solution is more than welcome.

--

Martin Kiefer

Hi.

I am a bit stuck in a problem I cannot find a solution for. I have a installation of NSX-T just upgraded 4.2.1 (would see if that fixed the issue) where overlay segments are not able to reach random certain IP segments in a more or less random order.

I am trying to reach two major news sites here in Denmark www . eb . dk and www . bt . dk. But for some reason the first one cannot be reached from an overlay segment, but only from a VLAN backed segment. I have tried to do a traceroute from a VM that is located on a overlay segment behind a T1 and T0, no DFW or GW FW is active:

traceroute to www.bt.dk (23.199.75.121), 30 hops max, 60 byte packets
 1  _gateway (10.123.1.1)  0.532 ms  0.511 ms * 
 2  100.64.0.2 (100.64.0.2)  0.478 ms  0.465 ms  11.601 ms
 3  192.168.5.1 (192.168.5.1)  1.091 ms  0.971 ms  0.937 ms
 4  192.168.1.1 (192.168.1.1)  0.619 ms  0.709 ms  0.686 ms
 5  85.184.163.1.static.dhcp.aura-net.dk (85.184.163.1)  3.089 ms  3.055 ms  3.036 ms

I stopped stopped the traceroute at my outside GW as it look ok, traffic os going out. But for the second one:

traceroute to www.eb.dk (151.101.129.91), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  *

Nothing happens, does not looks like the traffic is even reaching the first hop. 

A tcpdump from the traceroute gives this output:

10:11:42.298774 IP webserver.kiefer.dk.60663 > ad2019.kiefer.dk.domain: 12420+ A? www.eb.dk. (27)
10:11:42.298793 IP webserver.kiefer.dk.60663 > ad2019.kiefer.dk.domain: 32136+ AAAA? www.eb.dk. (27)
10:11:42.300383 IP ad2019.kiefer.dk.domain > webserver.kiefer.dk.60663: 32136 0/1/0 (112)
10:11:42.315090 IP ad2019.kiefer.dk.domain > webserver.kiefer.dk.60663: 12420 4/0/0 A 151.101.129.91, A 151.101.193.91, A 151.101.65.91, A 151.101.1.91 (91)
10:11:42.315551 IP webserver.kiefer.dk.39299 > 151.101.129.91.traceroute: UDP, length 32
10:11:42.315583 IP webserver.kiefer.dk.45587 > 151.101.129.91.33435: UDP, length 32
10:11:42.315609 IP webserver.kiefer.dk.36913 > 151.101.129.91.33436: UDP, length 32
10:11:42.315633 IP webserver.kiefer.dk.48438 > 151.101.129.91.33437: UDP, length 32

No reponse from anything. 

When going out from a VLAN backed segment, (this is from a Windows PC, but the outcome is the same):

C:\Users\labadmin>tracert www.eb.dk

Tracing route to www.eb.dk [151.101.65.91]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  10.0.0.254
  2    <1 ms    <1 ms    <1 ms  192.168.1.1
  3     4 ms     2 ms     3 ms  85.184.163.1.static.dhcp.aura-net.dk [85.184.163.1]

I have tried to redeploy the edges, I have tried to upgrade NSX-T to latest version, I have deleted and recreated the T1 and T0 and I have tried several different setting in segment profiles. Nothing changes, I cannot reach this sites.

You could say what does it matter, that a news site is unreachable, not much, bit it does gets to be a bit of a hassle when a site like raw.githubusercontent.com is unreachable as well. 

So ANY ideas on a solution is more than welcome.

--

Martin Kiefer