HTTP/HTTPS traffic is not working for Windows VMs through SSL VPN in a full tunnel mode.
Article ID: 345028
Updated On:
Products
VMware NSX Networking
Issue/Introduction
Symptoms:
- Windows VMs are not able to access internet through SSL VPN in a full tunnel mode.
- Edge has 1 public primary address and 1 private primary address configured on outgoing edge interface.
- Linux and MAC work fine.
- HTTP/HTTPS traffic is not being processed properly. Leaving the edge we can see that only DNS traffic is being translated to the proper IP - primary public address. The HTTP traffic is being translated to the primary private IP.
- Issue is reproducible with different browsers.
- Once the tunnel mode is reverted to split mode, it is working fine.
- TCP Optimization - disabled.
Cause
TCP optimization is happening for HTTP/HTTPS traffic even if it is disabled on the server side.
The Windows client keeps using two TCP connections, one between client and gateway and another between gateway and end server.
More information how TCP Optimization works can be found on: https://docs.vmware.com/en/VMware-NSX-Data-Center-for-vSphere/6.4/com.vmware.nsx.admin.doc/GUID-15E74836-01B9-4A5A-B9D8-BA6FE0577123.html
The Windows client keeps using two TCP connections, one between client and gateway and another between gateway and end server.
More information how TCP Optimization works can be found on: https://docs.vmware.com/en/VMware-NSX-Data-Center-for-vSphere/6.4/com.vmware.nsx.admin.doc/GUID-15E74836-01B9-4A5A-B9D8-BA6FE0577123.html
Resolution
There is no current resolution.
Workaround:
Use single primary IP on uplink interface.
Use SSL VPN split tunnel mode.
Workaround:
Use single primary IP on uplink interface.
Use SSL VPN split tunnel mode.
Feedback
Yes
No
Powered by
