EVPN traffic drop due to RPF check failed
search cancel

EVPN traffic drop due to RPF check failed

book

Article ID: 406946

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Tier-0 Gateway for EVPN Inline Mode is configured.

  • MPLS is used between the source and destination.
  • ICMP REQUEST on T0-uplink interface shows correct VTEP IPs for both source and destination.

No. Time Source Destination Protocol Length Info
37 2025-07-10 09:07:19.996837 192.168.#.# 192.168.#.# ICMP 148 Echo (ping) request id=0x0063, seq=64088/22778, ttl=63 (reply in 38)

Frame 37: 148 bytes on wire (1184 bits), 148 bytes captured (1184 bits)
Ethernet II, Src: VMware (##:##:##:##:##:##), Dst: test ((##:##:##:##:##:##)
Internet Protocol Version 4, Src: 10.#.#.10, Dst: 10.#.#.20 <<<<<<<<<<<<
User Datagram Protocol, Src Port: #####, Dst Port: ####
Virtual eXtensible Local Area Network
Ethernet II, Src: ##:##:##:##:##:## (##:##:##:##:##:##), Dst: ########## (##:##:##:##:##:##)
Internet Protocol Version 4, Src: 192.168.#.#, Dst: 192.168.##.##
Internet Control Message Protocol

  • ICMP REPLY on T0-uplink interface shows in-correct VTEP source  IP

No. Time Source Destination Protocol Length Info
38 2025-07-10 09:07:20.005436 192.168.#.# 192.168.#.# ICMP 148 Echo (ping) reply id=0x0063, seq=64088/22778, ttl=56 (request in 37)

Frame 38: 148 bytes on wire (1184 bits), 148 bytes captured (1184 bits)
Ethernet II, Src: VMware (##:##:##:##:##:##), Dst: test ((##:##:##:##:##:##)
Internet Protocol Version 4, Src: 10.#.#.30, Dst: 10.#.#.10 <<<<<<<<<<<<
User Datagram Protocol, Src Port: #####, Dst Port: ####
Virtual eXtensible Local Area Network
Ethernet II, Src: ##:##:##:##:##:## (##:##:##:##:##:##), Dst: ########## (##:##:##:##:##:##)
Internet Protocol Version 4, Src: 192.168.#.#, Dst: 192.168.##.##
Internet Control Message Protocol

Environment

VMware NSX

Cause

  • checking and verifying that the Remote VTEPs are present on the associated T0's Edge evpn rmac table using get evpn rmac 

VNI 100#### #RMACs 1

    RMAC          Remote VTEP
##:##:##:##:##:## 10.#.#.20

Note: 10.#.#.30 is not present on this table

This is an expected behaviour as NSX Edge was unaware of the VPC VTEP IP since it is not present on the learned EVPN routes and this was resulting in RPF check failure. 

Resolution

A separate VTEP loopback should be configured and made sure it should be known in the control plane.

Powered by Wolken Software