Problem definition:

Some pods cannot start up because NCP tries to attach their ports on the NSX-T side within a logical switch that uses the same subnet as another logical switch.

Error seen: "Subnet should not overlap with other logical router port of same logical router." 

Symptoms:

• In a Tanzu deployment using NCP, some pods fail to start.
• An IP Block which was used by the deployment has since been removed and a new once was created.
• The new IP Block has the same CIDR range and new IP Pools are created based on this Block.
• IP Pools which where created from this IP Block still exist.
• New segments created, will use the new IP Pool, which will have the same CIDR as the old IP Pools.
• When we attempt to create a new Logical Switch and attach to a Logical Router, this fails with Error:
  'Subnet should not overlap with other logical router port of same logical router'

• Using the GET API https://{NSX-Manager-IP}/api/v1/pools/ip-pools we can see below the IP Pools have overlapping subnets:

pks-<xxx>-kube-system-0
            "allocation_ranges": [
              {
                "end": "192.168.1.100",
                "start": "192.168.1.10"
              }
            ],
            "cidr": "192.168.1.0/24",

pks-<xxx>-u-dr-0
          {
            "allocation_ranges": [
              {
                "end": "192.168.1.100",
                "start": "192.168.1.10"
              }
            ],
            "cidr": "192.168.1.0/24",

pks-<xxx>-pks-system-host-monitoring-0
            "allocation_ranges": [
              {
                "end": "192.168.1.100",
                "start": "192.168.1.10"
              }
            ],
            "cidr": "192.168.1.0/24",

• In the VMware NSX NCP ncp/ncp.stdout.log log, similar messages can be seen:

NSX 12895 - [nsx@6876 comp="nsx-container-ncp" subcomp="ncp" level="WARNING"] nsx_ujo.common.controller NamespaceController worker 2 failed to sync logship due to nsx manager exception: Unexpected error from backend manager (['xxx']) for : Failed to attach logical switch xxx to logical router xxx: Unexpected error from backend manager (['xxx']) for POST api/v1/logical-router-ports: Found errors in the request. Please refer to the related errors for details. relatedErrors: [Routing] Subnet should not overlap with other logical router port of same logical router. Subnet [192.168.1.0/24] overlaps with logical router port(s) [LrPort/xxx]. [Routing] Invalid logical port id "xxx" provided.

• In the NSX-T Manager syslog log, similar messages can be seen:

NSX 4070 ROUTING [nsx@6876 comp="nsx-manager" errorCode="MP10048" level="ERROR" reqId="xxx" subcomp="manager" username="pks-xxx"] [entId=xxx] Given network [192.168.1.0/24] should not overlap with existing logical router port's subnet [LrPort/xxx]

• In the NSX-T Manager /var/log/proton/nsxapi.log log, similar messages can be seen:

INFO http-nio-127.0.0.1-7440-exec-122 NsxBaseRestController 4070 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Error in API /nsxapi/api/v1/logical-router-ports caused by exception com.vmware.nsx.management.edge.common.exceptions.EdgeException:  {"moduleName":"ROUTING","errorCode":10000,"errorMessage":"Found errors in the request. Please refer to the related errors for details.","relatedErrors":[{"moduleName":"ROUTING","errorCode":10048,"errorMessage":"[Routing] Subnet should not overlap with other logical router port of same logical router. Subnet [192.168.1.0/24] overlaps with logical router port(s) [LrPort/xxx]."}]}

VMware NSX-T with NCP

When the previous IP Block was removed, the IP Pools which where created based on it, where not removed (stale). The new IP Blocks uses the same CIDR as the old IP Block and therefore any new IP Pools can use the same subnets as the old stale IP Pools. When a new Logical Switch is created by NCP using the new IP Pool, it can therefore have the same subnet as existing Logical Switches which may have been created based on the stale IP Pool. You can not add two Logical Switches, with the same CIDR, to the same Logical Router, this is block by NSX-T.

When this issue occurs, NCP will delete the new logical switch and generate the following error in ncp/ncp.stdout.log
'relatedErrors: [Routing] Subnet should not overlap with other logical router port of same logical router. Subnet [x.x.x.x/x] overlaps with logical router port(s) [LrPort/xxx]'

This issue is fixed on VMware NSX NCP 4.2.1.

If you believe you have encountered this issue and are unable to upgrade, please open a support case with Broadcom Support and refer to this KB article.

For more information, see Creating and managing Broadcom support cases.