Troubleshooting HCX Network Extension Datapath Failures
Article ID: 377288
Updated On:
Products
Issue/Introduction
HCX Network Extension service allows creation of a Layer 2 network at destination HCX site (utilizing NSX) and bridge this remote network to the source network. There are a variety of potential reasons why this Datapath could fail. This article will serve as a point of reference to review some possible causes for Datapath failure as well as what documentation is required when opening a support request with Broadcom.
Environment
VMware HCX
Resolution
Below are some common troubleshooting steps to perform:
- Source/on-prem VM on network A cannot communicate with cloud/target VM on stretched network A.
- Verify the IP config (subnet, gateway etc.) is correct inside guest-OS of each affected VM on cloud.
- On both HCX-MGRs UI verify the tunnel state.
- If the tunnel state shows "red" , check if NE (Network Extension) uplink interface can reach its respective HCX-MGR (NE-I with HCX-Connector etc..)
- Check connectivity between NE Uplink interfaces.
- type "
ccli". - Type "
list" to show HCX appliances. - Type "
go #" - replace # with the number of the appliance. - Type "
ssh" to change context to CLI of appliance. - Ping the peer HCX-NE appliance uplink IP :
"ping #.#.#.#"- If this is not successful - check that the NE networks are "connected" in VC UI.
- If this is not successful - check that the NE networks are "connected" in VC UI.
- Verify the UDP 4500 packets are leaving ESXi. To do this follow the steps below.
- Find the MAC of NE uplink interface using VC UI. (see above screenshot)
- SSH to the esxi host the NE resides on.
- run the command "
netdbg vswitch instance list" - find the MAC corresponding to uplink interface. Record what vmnic it is using. - Perform a packet capture from ESXI
pktcap-uw --capture UplinkSndKernel,UplinkRcvKernel --uplink vmnic# -o - | tcpdump-uw -r - -ean host uplink-IP- Pay attention to 2 types of traffic.
- The ICMP traffic which was initiated via ping from NE directly.
- The UDP 4500 packets NE sends to its peer to establish the tunnel.
- If no ICMP reply or UDP traffic from peer NE is seen then this is an indication of a physical networking issue. Remember this trace shows packets are leaving the physical ESXi NIC and therefore handed off to the physical network.
- Type "ctrl-c" to stop the capture.
- Pay attention to 2 types of traffic.
- type "
- Check connectivity between NE Uplink interfaces.
- If the tunnel state shows "red" , check if NE (Network Extension) uplink interface can reach its respective HCX-MGR (NE-I with HCX-Connector etc..)
2. Alternative method to find the NE appliance Uplink Interface:
- Access the HCX Manager UI.
- Navigate to the Service Mesh and view the appliances.
- Make note of the IP address that is associated with the Uplink.
- SSH into the HCX Manager.
- Navigate to the NE appliance (ccli > list > go ID# associated with NE appliance > ssh).
- Issue the
'ifconfig'command. - Find the interface that has the IP address from the above step.
- Make note of the MAC Address.
- Navigate to the vCenter and locate the NE Appliance VM.
- Edit settings on the VM.
- Expand the network adapters and locate which one has the same MAC Address.
- Navigate to Services - Appliances - Select and expand the NE appliances - open Network Extension Details and select the extended network, select Show More Details
1. Verify the NE appliance can learn Local MAC addresses
2. Migrate a VM to the same host as the NE appliance and check if the Local MACs are populating.
3. Investigate further. - This interface can now be used when reviewing ESXi Top output to identify the VMNIC that is used to hand off traffic to the physical environment.
If the above steps show connectivity is healthy, however, there are still connection issues being reported by HCX UI, please file a request with Broadcom support and provide the information below.
- This KB ID.
- HCX version.
- Brief problem description.
- Include Source VM name, IP/subnet and network segment/portgroup.
- Include Destination VM name, IP/subnet and network segment.
- OS type/version for affected VM's used for testing.
- VMware tools version.
- Is MON (Mobility Optimized Networking) enabled?
- What NE # is servicing this extension
- Source/on-prem VM on network A cannot communicate with cloud/target VM on stretched network A.
Additional Information
Helpful documents that should be reviewed to ensure HCX NE(Network Extension) configuration is valid:
- Requirements for Network Extension
- Restrictions and Limitations for Network Extension
- Network Extension to Destinations with Universal Distributed Logical Routers
MON (Mobility Optimized Networking) is a feature of HCX Network Extension service that allows a cloud/destination VM on segment A to communicate with another cloud VM on segment B without having to route back to on-prem/source gateway.
HCX NE appliances can be configured for High Availability (HA). This further protects extended networks from a NE appliance failure at either site.
Known issues with HCX Network Extension service:
- [HCX] Cannot enable MON, un-extend / re-extend network and/or redeploy the NE appliance. All actions fail with Error: org.codehaus.jettison.json.JSONObject$Null
- HCX - NE appliance VM service pipeline down/up event
- HCX - NE appliances in HA mode experience intermittent failover
- HCX NE/IX Appliances tunnel flapping due CPU/Memory contention in the host
- PRE HCX 4.8 - HCX - MON Compatibility with 3rd Party Gateway Routers using a First Hop Redundancy Protocol (FHRP)
- HCX 4.8.0 - HCX - NE appliances in HA mode experience intermittent failover
- How to Troubleshoot and Fix Packet Loss Related to high CPU %RDY on HCX Network Extensions
- VM connectivity issues observed over a newly created HCX Layer 2 extended network
- Connectivity issue when HCX Network Extension (NE) are using Sink port
Feedback
