North-South packets are dropped by rx_drop_rpf_check due to URPF restrictions
search cancel

North-South packets are dropped by rx_drop_rpf_check due to URPF restrictions

book

Article ID: 377403

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Incoming traffic does not arrive at destination VM as expected.
  • T0-GW external interfaces URPF (unicast Reverse Path Forwarding) Mode is set to "Strict".
  • Reviewing statistics on the edge logical routers show the rpf check drop counter increasing on the associated interface:

    # get logical-routers
    name: <Interface_Name>
    "urpf-mode": "STRICT_MODE",
    "rx_drop_rpf_check": 12365,

  • T0-GW traceflow output shows that packets drop at the last hop with the reason "Dropped due to IP failure":

Environment

3.x
4.x

Cause

In Tier-0 gateways, unicast Reverse Path Forwarding is enabled and set as "Strict".

When URPF is enabled, the Edge only forwards packets if they are received on the same interface that would be used to forward the traffic to the source of the packet. If the route to the source address of the packet is through a different interface than the one it is received on, the packet is dropped.

Resolution

Resolve any upstream routing issues that could be causing asymmetric routing issues, check for situations regarding bad routes being pushed via BGP to the NSX edges by auditing the forwarding tables of your network devices that could erroneously distributed.

Workaround

RPF Check can be disabled to allow asymmetric routing by setting URPF mode to "None" via UI or API:

  • NSX Manager UI:  Set Interfaces > Tier -0 Gateways (Edit) > Interfaces and GRE Tunnel > Click on the number beside External and Service Interfaces > Set URPF mode as "None" for relevant interfaces.
  • NSX Manager API:  PATCH  /policy/api/v1/global-infra/tier-0s/<tier-0-id>/locale-services/<locale-service-id>/interfaces/<interface-id>
Powered by Wolken Software