Distributed Virtual Switch drops fragmented packets traversing an NSX Edge
search cancel

Distributed Virtual Switch drops fragmented packets traversing an NSX Edge

book

Article ID: 325135

calendar_today

Updated On:

Products

VMware NSX Networking

Issue/Introduction

Symptoms:
  • Issue only affects a VM when it's connected to a sub interface
  • Pinging from VM with packet size >1472 to the Edge uplink is successful
  • Pinging from VM with packet size >1472 through the Edge to an up-stream device times out
  • Packet capture on the Edge uplink shows a VLAN tag matching the Tunnel ID set on the sub interface
     00:50:56:82:73:24 > 00:50:56:01:00:94, ethertype 802.1Q (0x8100), length 39: vlan 10, p 0, ethertype IPv4, 10.100.20.2 > 192.168.132.254
     00:50:56:82:73:24 > 00:50:56:01:00:94, ethertype 802.1Q (0x8100), length 39: vlan 10, p 0, ethertype IPv4, 10.100.20.2 > 192.168.132.254
     00:50:56:82:73:24 > 00:50:56:01:00:94, ethertype 802.1Q (0x8100), length 39: vlan 10, p 0, ethertype IPv4, 10.100.20.2 > 192.168.132.254
  • Disabling the Edge firewall resolves issue


Environment

VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.4.x

Cause

This issue occurs because the Edge fails to strip the VLAN tag from fragmented packets.

Resolution

This issue is resolved in NSX Data Center for vSphere 6.4.8.

Workaround:
To workaround the issue, disable bridge_nf_call_iptables and bridge_nf_call_ip6tables on the edge.

This can be done via API if you are on one of the below versions:
  • For 6.3.x, the API is only available in 6.3.7
  • For 6.4.x, the API is available in 6.4.2 and higher
PUT /api/4.0/edges/<edge-id>/systemcontrol/config
<systemControl>
   <property>sysctl.net.bridge.bridge-nf-call-iptables=0</property>
   <property>sysctl.net.bridge.bridge-nf-call-ip6tables=0</property>
</systemControl>
If you are not on one of the above version, contact VMware Customer Service for assistance.
 


Powered by Wolken Software