In an NSX Federation environment, after adding a new site and realizing Tier-0 Service Routers, the internal_sr_vrf iBGP sessions fail to establish across the Inter-Site Network (ISN).

Cross-site routing remains down.

The Remote Tunnel Endpoint (RTEP) tunnels fail to reach an UP state when checking the Edge Nodes.

• VMware NSX Federation

A physical firewall residing in the transport network between the sites is actively blocking bidirectional Geneve encapsulation traffic on UDP port 6081.

This prevents the underlying Remote Tunnel Endpoint (RTEP) tunnels from forming across the Inter-Site Network, which causes the overlay iBGP sessions to fail.

• Identify the allocated RTEP IP pools or specific RTEP interface IP addresses assigned to the Edge Nodes across all participating sites.

• Modify the physical firewall rules to explicitly permit bidirectional UDP port 6081 traffic sourced from and destined to the RTEP IP address spaces.

• Verify the RTEP tunnel status using the get tunnels command from the Edge Node CLI to ensure the tunnels transition to an UP state.

• Verify the internal_sr_vrf BGP sessions successfully establish over the restored ISN tunnels.

  • SSH to the edge node
  • enter the set debug command
  • enter the vrf internal command
  • enter the get bgp neighbor summary command
    
    you should see that all iBGP neighbors are etablished

Subscribe to this knowledge article to get updates on this issue.

Review the VMware Ports and Protocols Tool for authoritative validation of required NSX Federation ports.