VMware Networking Community
zeebahi
Enthusiast
Enthusiast
‎12-26-2023 12:37 PM
Jump to solution

T0-SR stand by and received external traffic from non-nsx client

Hi everyone,

New to NSX , I observed following:

In single tier routing architecture, with active stand by case, if standby T0-SR receives traffic from outside NSX external client, destined to host on NSX, it drops such traffic.

Is this expected behavior?

Much appreciated!! 

0 Kudos
2 Solutions

Accepted Solutions
chandrakm
VMware Employee
VMware Employee
‎01-03-2024 02:39 AM
Jump to solution

NSX Active Edge will send and receive all traffic standy will only come in picture when active is down. 

VM under NSX is able to reach outside? Is this issue for only one VM or for all VM's under NSX.

Make sure your firewalls(DFW, NSX GW firewall and physical firewalls) are not blocking. If firewalls are not dropping traffic make sure end to end routing is propagating as expected. What type of routing is in place static or bgp? Make sure you have static routes set or bgp route redistribution is properly configured. do a traceroute in both directions and see where the connectivity is missing. Re-validate all your routing configurations.

 

Cheers,
Chandra | 2xVCIX | CCIE | TOGAF
Please KUDO helpful posts and mark the thread as solved if answered

View solution in original post

0 Kudos
chandrakm
VMware Employee
VMware Employee
‎01-08-2024 01:05 AM
Jump to solution

I think its an expected behavior. Please refer below topology:

https://docs.vmware.com/en/VMware-NSX/4.1/administration/GUID-B4863BFF-1D54-472F-84CE-B50915EC53F4.h...

Please have your R2 BGP with T1 Active and R1 BGP with T1 Standby. I think this should solve.

Cheers,
Chandra | 2xVCIX | CCIE | TOGAF
Please KUDO helpful posts and mark the thread as solved if answered

View solution in original post

5 Replies
pcgeek2009
Hot Shot
Hot Shot
‎12-26-2023 09:36 PM
Jump to solution

How are your NSX rules set up? You can allow traffic from outside NSX to networks and systems contained within NSX based on the rules. If the traffic does not match any of the allow rules, and it hits a "Drop" rule, then the traffic is dropped. Typically, you can use the traffic analyzer to check the path that network traffic will traverse. This will give all of the rules that may be used to analyze it and show if it hits a drop rule. 

0 Kudos
zeebahi
Enthusiast
Enthusiast
‎12-29-2023 06:58 PM
Jump to solution

Thanks for the response.

I am not using any FW rules, so it is a plain routing question. By design, will stand-by T0-SR drop received external  traffic from non NSX host or it forwards such traffic to active T0-SR?

 

0 Kudos
chandrakm
VMware Employee
VMware Employee
‎01-03-2024 02:39 AM
Jump to solution

NSX Active Edge will send and receive all traffic standy will only come in picture when active is down. 

VM under NSX is able to reach outside? Is this issue for only one VM or for all VM's under NSX.

Make sure your firewalls(DFW, NSX GW firewall and physical firewalls) are not blocking. If firewalls are not dropping traffic make sure end to end routing is propagating as expected. What type of routing is in place static or bgp? Make sure you have static routes set or bgp route redistribution is properly configured. do a traceroute in both directions and see where the connectivity is missing. Re-validate all your routing configurations.

 

Cheers,
Chandra | 2xVCIX | CCIE | TOGAF
Please KUDO helpful posts and mark the thread as solved if answered
0 Kudos
zeebahi
Enthusiast
Enthusiast
‎01-05-2024 08:35 PM
Jump to solution

Thanks !!

Let me illustrate my thoughts:

zeebahi_0-1704515310856.png

Above, TO-SR is active on edgenode1 and announcing 10.10.10.0/24 to R1 via BGP.

TO-SR is stand-by on edge-node2 and also also announcing 10.10.10.0/24 to R2 via BGP.

R2 issues a ping to 10.10.10.1 sourced from its loopback 2.2.2.2, this  ping is routed over the link that connects R2 with edge-node2. To-SR standby on edge node2 receives this ping.

What will happen next? Will TO-SR on edge-node2 kills this ping as it is standby TO-SR?  In my lab I observed i indeed  To-SR standby did kill the ping.   Is it expected behavior? 

Much appreciated!!

 

 

 

0 Kudos
chandrakm
VMware Employee
VMware Employee
‎01-08-2024 01:05 AM
Jump to solution

I think its an expected behavior. Please refer below topology:

https://docs.vmware.com/en/VMware-NSX/4.1/administration/GUID-B4863BFF-1D54-472F-84CE-B50915EC53F4.h...

Please have your R2 BGP with T1 Active and R1 BGP with T1 Standby. I think this should solve.

Cheers,
Chandra | 2xVCIX | CCIE | TOGAF
Please KUDO helpful posts and mark the thread as solved if answered