VMs using CARP (Common Address Redundancy Protocol) or HSRP fail to form HA clusters on NSX Overlay segments
Article ID: 409438
Updated On:
Products
Issue/Introduction
Virtual Machines (VMs) on the same NSX overlay segment fail to form an HA cluster.
Impacts High Availability setups using multicast-based protocols such as CARP or HSRP.
Unicast traffic between the nodes functions correctly.
Multicast packets intended for the Virtual MAC (vMAC) are dropped by the virtual switchport.
Environment
VMware NSX
VMware NSX-T Data Center
Cause
The virtual switchport does not correctly forward traffic to the VM when the source or destination MAC address differs from the assigned vNIC MAC (a behavior typical of CARP/HSRP virtual IPs). The CARP MAC is often incorrectly learned on the physical uplink rather than the VM port.
Resolution
This is a condition that may occur in a VMware NSX environment.
Workaround:
Option 1: Static Configuration (Vendor Level)
Configure the HA software to use the "burned-in" or physical vNIC MAC of the active node instead of a virtual floating MAC.
Option 2: Non-Persistent CLI Workaround
Enable Layer 2 security overrides on the specific ESXi host where the VM resides.
Identify the
dvportID:nsxcli -c get portsApply overrides:
nsxdp-cli vswitch l2sec set --dvport <port_ID> -dvs <vDS_Name> --mac-change --forge-src --promiscVerify settings:
nsxdp-cli vswitch l2sec get -dvs <vDS_Name>- If using a custom Mac Discovery Profile for the segment, ensure that the "Unknown Unicast Flooding" setting is disabled.
Note: This change is non-persistent and reverts after host reboot, VM power cycle, or vMotion.
Additional Information
For a persistent cluster-wide fix, consider enabling Net.ReversePathFwdCheckPromisc at the ESXi host level as documented in below KB.
Zscaler Branch Connector VIP Fails to Respond When Hosted on ESXi Due to Virtual MAC Handling.
Feedback
