vCenter reports Transmit packet drops for an NSX-T edge node
Article ID: 317681
Updated On:
Products
VMware NSX
Issue/Introduction
Symptoms:
- Transmit packets are reported as being dropped for the NSX-T edge node in vCenter:
- Using vsish on the ESXi host and the port for the edge node VM's interface which is reporting drops, we see packet drops:
/net/portsets/DvsPortset-1/ports/100663331/> get /net/portsets/DvsPortset-1/ports/100663331/inputStats
...
SWSEC_INPUT.19068435 <swsec-input:0x4320af8b4b80>
pktsStarted:602584896
pktsPassed:602526164
pktsDropped:58732 <<<<<<<<<<<<<<<<<<<
no client stats maintained
...
VDL2_INPUT.19068435 <vdl2-leaf-in:0x4321a27420b0>
pktsStarted:27705103
pktsPassed:21864713
pktsDropped:5840390 <<<<<<<<<<<<<<<<<<<<<<<
no client stats maintained
SWSEC_INPUT.19068435 <swsec-input:0x4320af8b4b80>
pktsStarted:602584896
pktsPassed:602526164
pktsDropped:58732 <<<<<<<<<<<<<<<<<<<
no client stats maintained
...
VDL2_INPUT.19068435 <vdl2-leaf-in:0x4321a27420b0>
pktsStarted:27705103
pktsPassed:21864713
pktsDropped:5840390 <<<<<<<<<<<<<<<<<<<<<<<
no client stats maintained
- Using the below command we see the switch security packet drops are for MAC CHADDR Mismatch Count and match above:
nsxdp-cli swsec get stats --dvport 5ef91676-da9d-47f8-bc87-c56830e3e205 --dvs-alias nvds
...
DHCPv4 Server Block Drop Count : 0
DHCPv6 Server Block Drop Count : 0
DHCPv4 Client Block Drop Count : 0
DHCPv6 Client Block Drop Count : 0
BPDU Filter Drop Count : 0
RA Gurad Drop Count : 0
MAC CHADDR Mismatch Count : 58751
...
...
DHCPv4 Server Block Drop Count : 0
DHCPv6 Server Block Drop Count : 0
DHCPv4 Client Block Drop Count : 0
DHCPv6 Client Block Drop Count : 0
BPDU Filter Drop Count : 0
RA Gurad Drop Count : 0
MAC CHADDR Mismatch Count : 58751
...
Environment
VMware NSX-T
Cause
There are two types of packet drops at play here:
- VDL2 - These packet drops counters are incremented due to a new inter TEP feature introduced in NSX-T 3.1, when a edge node resides on a prepared host, they ensure packet destined for the edge nodes TEP interface, when arriving in the uplink, are not sent back out to the underlay.
- SWSEC - This occurs when DHCP relay is configured, relayed packets from the edge to the third party DHCP server, have source mac set to that of the gateway, but chaddr (Client hardware address) is the MAC address of the DHCP client.
Resolution
For the VDL2 drops, this issue is resolved in NSX-T 3.2.2, whereby the counter will not mark these packets as dropped packets.
For the SWSEC drops, please disable the DHCP server block setting on the Segment Security Profile applied to the segment the edge node is attached to.
Workaround:
For the VDL2 drops, no action is required and correct accounting will be implemented from NSX-T 3.2.2 onwards.
For SWSEC, as above, please disable the DHCP server block setting on the Segment Security Profile applied to the segment the edge node is attached to.
For the SWSEC drops, please disable the DHCP server block setting on the Segment Security Profile applied to the segment the edge node is attached to.
Workaround:
For the VDL2 drops, no action is required and correct accounting will be implemented from NSX-T 3.2.2 onwards.
For SWSEC, as above, please disable the DHCP server block setting on the Segment Security Profile applied to the segment the edge node is attached to.
Feedback
Yes
No
Powered by
