NSX-T NAT rule statistics are not visible in the UI for all the NAT rules respectively on the configured T0 and T1.
search cancel

NSX-T NAT rule statistics are not visible in the UI for all the NAT rules respectively on the configured T0 and T1.

book

Article ID: 370016

calendar_today

Updated On:

Products

VMware NSX Networking

Issue/Introduction

From the Management plane side, the NAT stats shows zero active sessions and packet count.

NSX manager UI.

NAT rules statistics show Zero Active sessions and packet counts 

However from the dataplane side from active EDGE CLI, the NAT rules shows statistics as expected.

Firewall connection table shows the active session for the NAT rule and statistics/hit counts updates.

NAT rule:

edge02> get firewall 24414390-91f2-4059-bc36-4970d794dcc3 ruleset type snat rules
Rule count: 1
    Rule ID   : 536870912
  Rule      : out protocol any prenat from ip 10.1.1.0/24 to any snat ip 192.168.10.1 with log

Connection table:

edge02> get firewall 24414390-91f2-4059-bc36-4970d794dcc3 connection
Sun Jun 16 2024 UTC 16:23:25.895
Connection count: 1
0x0000000250001a3b: 10.1.1.12 -> 172.16.10.1 (192.168.10.1) dir out protocol icmp  fn 1003:536870912

Statistics/Hits

edge02> get firewall 24414390-91f2-4059-bc36-4970d794dcc3 ruleset type snat stats
Rule count: 1
    Rule ID             : 536870912
    Input bytes         : 92933
    Output bytes        : 92214
    Input packets       : 1097
    Output packets      : 1100
    Evaluations         : 34
    Hits                : 7
    Active connections  : 1

 

In the NSX API logs ( /var/log/proton/nsaxpi.log), we could see the below warning:

2024-06-16T16:11:34.749Z  INFO http-nio-127.0.0.1-7440-exec-45 PolicyNATServiceImpl 85878 POLICY [nsx@6876 comp="nsx-manager" level="INFO" reqId="b0f96e54-3de9-4a53-b965-b0495b7fee12" subcomp="manager" username="admin"] The stats for Nat rule /infra/tier-1s/T1-LB-GW/nat/USER/nat-rules/SNAT-Web-server are NatStatisticsPerRule{logicalRouterId='82baff24-4626-414e-bc78-b9c84e5f0aa5', id='536870912', warningMessage='Partial statistics of NAT Rule 536870912 of logical router 82baff24-4626-414e-bc78-b9c84e5f0aa5 from transport node(s) [Ljava.lang.Object;@692dae3d.', lastUpdateTimestamp='1718554294749', super{NatCounters{activeSessions='0', totalPackets='0', totalBytes='0'}}}

Error: Failed to query statistics of logical router 82baff24-4626-414e-bc78-b9c84e5f0aa5 NAT Rule 536870912 : Unable to reach client 228f0128-0c69-11ef-b3c4-0050569d4a26, application AggSvc

2024-06-16T16:11:34.748Z ERROR http-nio-127.0.0.1-7440-exec-55 AggSvcLogicalRouterService 85878 MONITORING [nsx@6876 comp="nsx-manager" errorCode="MP6650" level="ERROR" reqId="5e0414bf-f871-4254-ada3-1a01fb3869c2" subcomp="manager" username="nsx_policy"] Failed to query statistics of logical router 82baff24-4626-414e-bc78-b9c84e5f0aa5 NAT Rule 536870912 : Unable to reach client 228f0128-0c69-11ef-b3c4-0050569d4a26, application AggSvc

 

Cause

The API calls for NAT statistics retrieve aggregate statistics from Edge nodes. If any Edge node associated with NAT rules (Tier-1 or Tier-0 Gateways) is in an unknown, unhealthy, or down state, the NSX UI will not be able to display any NAT statistics.

The API call will result the NAT statistics as zero with error as Failed to query statistics of logical router 82baff24-4626-414e-bc78-b9c84e5f0aa5 NAT Rule 536870912 : Unable to reach client 228f0128-0c69-11ef-b3c4-0050569d4a26(problematic edge), application AggSvc

 

 

Resolution

Verify the reason for the edge node being in unknown/down state and fix it accordingly, once the edge node is healthy, The NAT stats should be visible.