• Two SNAT rules are defined on Tier-1 and Tier-0 respectively.
• VMs on NSX segments unable to communicate to the external destination network.
• When using Traceflow from NSX UI (Plan & troubleshoot > Traffic Analysis > Traceflow)  only the SNAT on Tier-1 will passed but not for the Tier-0.

Sample:

T0 SNAT:
"snat": "rule 53#####04 at 1 out protocol any natpass from ip 10.#.#.10 to ip 10.#.0.0/16 snat ip 10.#.#.7 with log;
"snat-stat": "rule 53#####04: 272 evals, 0 active-sessions, in 0 out 0 pkts, in 0 out 0 bytes, 0 hits; << no flow

T1-SNAT:
rule 16##5 at 23 out protocol any natpass from ip 172.#.#.0/24 to any snat ip 10.#.#.10;
rule 16##5: 1753 evals, 55 active-sessions, in 27834641 out 16666790 pkts, in 3204722605 out 2244316994 bytes, 211 hits;

•  Verify on the associated Tier-0, if all the destination IPs subnet is being seen on the loopback interface 

Sample:

Interface : 400#####-14b4-#####-ba81-5##########b
    Ifuid : 315
    Mode : loopback
    Port-type : loopback
    IP/Mask :

10.#.#.5/32,10.#.#.6/32 <<<10.#.#.10/32,10.#.#.11/32,10.#.#.12/32,10.#.#.13/32

• When the traffic arrives for the destination, traffic is being sent to the loopback and T0 SNAT was never evaluated causing traffic blackholing

VMware NSX

Possibility of a stale NAT rules entries for the affected Tier-0

If such behaviour is seen, Collect all the support bundles of associated NSX Managers and Edges and open a support request with Broadcom