• Traffic initiated from external networks toward virtual machines connected to NSX segments works as expected (for example, RDP or ICMP).

• Traffic initiated from virtual machines connected to NSX segments toward external networks does not receive a response (for example, ICMP) so it fails.

• VMware NSX

• VMware Cloud Director

Traffic from virtual machines connected to NSX segments matched a Default SNAT rule on the Edge Gateway while NAT was also configured on the NSX Tier-1 Gateway.

The observed traffic was translated more than once before leaving the NSX Edge, resulting in a source address that upstream or physical network devices were not expecting, which prevented return traffic from being handled correctly.

• Review the NAT configuration along the outbound traffic path, including NAT defined on the Edge Gateway (Default Autoconfiguration SNAT and any manual NAT rules), the NSX Tier-1 Gateway, the NSX Tier-0 Gateway if applicable to understand how traffic is translated before leaving the NSX Edge.

• Use NSX Traceflow to trace the traffic and confirm whether traffic is being NATed more than once and which source address is used when traffic leaves the NSX Edge.

• If duplicate or overlapping NAT rules are identified and are causing unexpected behavior, consider disabling or reconfiguring them as appropriate. If you are unsure how to proceed, please open a Support case for further assistance.

For additional reference see:

Autoconfigure Default NAT and Firewall Rules on a Provider Gateway in Your VMware Cloud Director