Ingress connectivity to vSphere Supervisor Cluster fails due to SNAT Translation on NSX Tier-1 Gateway
search cancel

Ingress connectivity to vSphere Supervisor Cluster fails due to SNAT Translation on NSX Tier-1 Gateway

book

Article ID: 438408

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • External clients are unable to reach the vSphere Supervisor Cluster Ingress VIP.
  • The Ingress VIP is successfully provisioned on the VMware Avi Load Balancer (NSX Advanced Load Balancer) Service Engine (SE).
  • Packet captures on the Avi Service Engine (SE) show the SE is responding correctly with the VIP as the source IP.
  • Packet captures on the NSX Tier-1 (T1) Gateway uplink show that the return packets from the VIP are SNATed to the Supervisor Cluster Egress IP address (this SNAT rule is auto applied during Supervisor Cluster creation). This caused Supervisor Cluster Ingress VIP connection failure.
  • Connectivity succeeds only after a manual "NO SNAT" rule (Source IP = ingress subnet, Dst IP = any)  is added to the NSX Tier-1 Gateway.

Environment

VMware NSX

Cause

This issue occurs when a broad SNAT rule (typically configured for outbound Internet or corporate network access) is defined on the Tier-1 Gateway used by the Supervisor Cluster.

When the return traffic from the Avi Service Engine (sourced from the Ingress VIP) passes through the Tier-1 Gateway to reach the external client, it matches the broad SNAT criteria. Because NSX NAT processing occurs before routing/delivery in this path, the VIP is replaced by the Egress IP, causing the external client to drop the packets due to an IP mismatch (receiving a response from an IP it did not initiate a connection to).

 

Resolution

To resolve this, you must configure a NO SNAT (NAT Bypass) rule to ensure Ingress traffic remains untranslated.

Procedure:

  1. Log in to the NSX Manager UI.
  2. Navigate to Networking > NAT.
  3. Select the Tier-1 Gateway associated with your Supervisor Cluster.
  4. Add a new NAT rule with the following parameters:
    • Action: NO SNAT
    • Source IP: [Your Ingress VIP Range or specific VIP]
    • Destination IP: Any (or your specific Client CIDR)
    • Priority: Set this to a lower numerical value (higher priority) than the existing SNAT rule.
  5. Save the configuration.

Verification: Initiate a connection from an external client and verify that the source IP of the response received by the client matches the Ingress VIP.

Powered by Wolken Software