Tier-0 uplink interface stops doing proxy arp for AVI LB VIP
search cancel

Tier-0 uplink interface stops doing proxy arp for AVI LB VIP

book

Article ID: 374330

calendar_today

Updated On:

Products

VMware NSX-T Data Center VMware NSX

Issue/Introduction

The Tier-0 gateway can stop doing proxy arp for the AVI LB VIP if any changes are made to the VIP address or route advertisements on T1 gateway, thus causing the incoming traffic for that VIP to get blackholed since external devices would not be able to forward the traffic to the uplink interface if the "arp_proxy" entry is removed from the uplink interface of T0 gateway.

This can be verified with "get interfaces" command within the T0 SR VRF:

NOTE: This is valid only in NSX environment with Advanced load balancer configuration

Environment

VMware NSX-T Data Center

VMware NSX

Cause

  • AVI creates /32 LB VIP static route on T1 gateway and its get advertised as T1_LB_VIP route on T0 gateway.
  • If user does any changes in advertisement config of T1 gateway, same LB VIP prefix also gets advertised as T1_STATIC. There is no datapath issue but later when user detach AVI LB from T1 gateway, it only removes T1_LB_VIP advertise route from T0 gateway. T0 DR will still have T1_STATIC advertise route as stale entry.
  • In some cases, removing the LB VIP does not remove the advertised route from T0 and the VIP address continues getting advertised as "t1l" in "get route" command as a stale route, but T0 does not do proxy arp for the concerned IP address.

Resolution

This is a known issue which will be addressed in 4.1.2.5 version of NSX-T

Workaround:

  1. Delete the problematic AVI VIP address.
  2. Execute the below reprocess POST API on T1 gateway to which AVI VIP was attached.
    With this API, you will no longer see advertise route on T0 gateway for the deleted VIP address
    POST https://<mp-ip>/policy/api/v1/infra/tier-1s/<id>?action=reprocess&enforcement_point_path=/infra/sites/default/enforcement-points/default
  3. Now bind AVI to the desiredT1 gateway. You will see advertised prefix on T0 gateway as t1l. You will also see ARP Proxy on T0.