When performing a traceroute from a client machine to a destination behind an NSX Tier-0 Gateway, specific hops—specifically the internal router link IP (e.g., 100.64.0.1)—fail to respond.

The traceroute output shows asterisks (*) for the affected hop with request timed out.

Traceroute is completed confirming no communication issues, but the path visibility is lost at the NSX gateway level.

VMware NSX

Traceroute relies on receiving ICMP Time Exceeded messages from each hop. If these replies are dropped, the hop becomes invisible.

This is a condition that may occur in a VMware NSX environment where the physical network does not have a return route for the internal transit subnet (100.64.0.0/31) or security policies in the underlay block these ICMP messages.

Ensure no rules on the Tier-0 Gateway are dropping ICMP traffic.

Perform Packet Captures:

Identify the ESXi host and physical uplink used by the active Edge VM:

netdbg vswitch instance list | grep <Edge_VM_Name>

Capture traffic on the host uplink to verify the exit of the ICMP Time exceeded reply:

pktcap-uw --uplink vmnic# --capture UplinkSndKernel -o - | tcpdump-uw -enr - 

In case the ICMP time exceeded replies are seen exiting the host uplink where the active edge resides,  work with the physical network team to ensure 100.64.0.0/31 traffic is permitted and routable back to the client source.