Unable to ping the NSX overlay VM with more than 1414 bytes from outside NSX environment.
search cancel

Unable to ping the NSX overlay VM with more than 1414 bytes from outside NSX environment.

book

Article ID: 428813

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

• Virtual Machines (VMs) within the NSX environment are unable to transmit packets larger than 1414 bytes to external networks. 
• While Jumbo Frames are enabled on the physical switches and internal segments, traffic exceeding the standard MTU minus encapsulation overhead is being fragmented 
    or dropped when exiting the NSX environment.
• VM-to-VM traffic across segments works with large packets, confirming host-to-host TEP communication and Segment MTU are configured correctly.
• Only northbound traffic (Edge to Physical) fails, identifying the bottleneck at the Edge-to-Physical peering point.

Environment

VMWare NSX 4.x

Cause

The issue is caused by a Path MTU (PMTU) mismatch occurring at the physical perimeter.

Specifically, a physical firewall on the northbound data path was not configured for Jumbo Frames, leaving its interface MTU set to the default of 1500 bytes. Because the Geneve-encapsulated packets or large routed frames originating from the NSX environment exceeded this 1500-byte limit, the firewall dropped or fragmented the traffic.

Resolution

To resolve this issue, the physical network path must be aligned to support the required MTU size.

  1. Engage the Firewall Vendor/Network Team: Work with the physical firewall administrator or vendor to increase the interface MTU (typically to 9000 for Jumbo Frames) to ensure consistency across the entire physical data path.

  2. Further Troubleshooting: For detailed steps on verifying and troubleshooting MTU mismatches and fragmentation within the NSX fabric, refer to official VMware Knowledge Base: https://knowledge.broadcom.com/external/article/374882

Powered by Wolken Software