VMware NSX

 View Only
  • 1.  cURL HTTPS not working from NSX-T segment

    Posted Jul 14, 2022 06:02 PM

    Hi,

    I am trying "curl https" from a VM connected to a NSX-T segment:

    [root@test2-pro ~]# curl -v https://google.com
    * About to connect() to google.com port 443 (#0)
    * Trying 216.58.208.110...
    * Connected to google.com (216.58.208.110) port 443 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    * CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
    * NSS error -5961 (PR_CONNECT_RESET_ERROR)
    * TCP connection reset by peer
    * Closing connection 0
    curl: (35) TCP connection reset by peer

    If I connect this VM to a port group in vCenter (port group in the vDS I use for NSX-T), the same command works:

    [root@test2-pro ~]# curl -v https://google.com
    * About to connect() to google.com port 443 (#0)
    * Trying 216.58.208.110...
    * Connected to google.com (216.58.208.110) port 443 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    * CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
    * SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    * Server certificate:
    * subject: CN=*.google.com
    * start date: jun 27 08:17:39 2022 GMT
    * expire date: sep 19 08:17:38 2022 GMT
    * common name: *.google.com
    * issuer: CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
    > GET / HTTP/1.1
    > User-Agent: curl/7.29.0
    > Host: google.com
    > Accept: */*
    >
    < HTTP/1.1 301 Moved Permanently
    < Location: https://www.google.com/
    < Content-Type: text/html; charset=UTF-8
    < Date: Thu, 14 Jul 2022 17:51:38 GMT
    < Expires: Thu, 14 Jul 2022 17:51:38 GMT
    < Cache-Control: private, max-age=2592000
    < Server: gws
    < Content-Length: 220
    < X-XSS-Protection: 0
    < X-Frame-Options: SAMEORIGIN
    < Set-Cookie: CONSENT=PENDING+024; expires=Sat, 13-Jul-2024 17:51:38 GMT; path=/; domain=.google.com; Secure
    < P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
    < Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
    <
    <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
    <TITLE>301 Moved</TITLE></HEAD><BODY>
    <H1>301 Moved</H1>
    The document has moved
    <A HREF="https://www.google.com/">here</A>.
    </BODY></HTML>
    * Connection #0 to host google.com left intact
    [root@test2-pro ~]#

    I've tried linking the segment to a T1 router and a T0 directly and same error.

    Any ideas?

    Thanks.

     

     



  • 2.  RE: cURL HTTPS not working from NSX-T segment
    Best Answer

    Broadcom Employee
    Posted Jul 19, 2022 02:01 PM
    It's likely due to the MTU issue on the overlay segment. Please make sure ESXi hosts and Edge TEP interface is set to 1600 minimum and L2 and L3 interfaces in the datapath MTU is also setup properly as Genève packets can't be fragmented. 
     
    You can run a ping test from ESXi host with the following command:
     
    #ping ++netstack=vxlan -d -s 1572 -I vmk10  <destination host or destination edge TEP interface>

     



  • 3.  RE: cURL HTTPS not working from NSX-T segment

    Posted Jul 19, 2022 04:48 PM

    Hi rliu,

    You are right.

    vmk10 ping between ESXi host and edge nodes not working for 1600.

    I've realized after this, edge nodes TEP interface in attached to a vDS with MTU 1500.

    Thanks a lot for your help!!!