Distributed Virtual Switch drops fragmented packets traversing an NSX Edge
Article ID: 325135
Updated On:
Products
VMware NSX for vSphere
Issue/Introduction
- Issue only affects a VM when it's connected to a sub interface
- Pinging from VM with packet size >1472 to the Edge uplink is successful
- Pinging from VM with packet size >1472 through the Edge to an up-stream device times out
- Packet capture on the Edge uplink shows a VLAN tag matching the Tunnel ID set on the sub interface
00:50:56:82:73:24 > 00:50:56:01:00:94, ethertype 802.1Q (0x8100), length 39: vlan 10, p 0, ethertype IPv4, 1#.1##.2#.2# > 1##.1##.1##.2##
00:50:56:82:73:24 > 00:50:56:01:00:94, ethertype 802.1Q (0x8100), length 39: vlan 10, p 0, ethertype IPv4, 1#.1##.2#.2# > 1##.1##.1##.2##
00:50:56:82:73:24 > 00:50:56:01:00:94, ethertype 802.1Q (0x8100), length 39: vlan 10, p 0, ethertype IPv4, 1#.1##.2#.2# > 1##.1##.1##.2##
- Disabling the Edge firewall resolves issue
Environment
VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.4.x
VMware NSX for vSphere 6.4.x
Cause
This issue occurs because the Edge fails to strip the VLAN tag from fragmented packets.
Resolution
This issue is resolved in NSX Data Center for vSphere 6.4.8.
Workaround:
To workaround the issue, disable bridge_nf_call_iptables and bridge_nf_call_ip6tables on the edge.
This can be done via API if you are on one of the below versions:
Workaround:
To workaround the issue, disable bridge_nf_call_iptables and bridge_nf_call_ip6tables on the edge.
This can be done via API if you are on one of the below versions:
- For 6.3.x, the API is only available in 6.3.7
- For 6.4.x, the API is available in 6.4.2 and higher
PUT /api/4.0/edges/<edge-id>/systemcontrol/config
<systemControl> <property>sysctl.net.bridge.bridge-nf-call-iptables=0</property> <property>sysctl.net.bridge.bridge-nf-call-ip6tables=0</property> </systemControl>If you are not on one of the above version, contact VMware Customer Service for assistance.
Feedback
Yes
No
Powered by
