Multicast traffic fails from VM to physical destination
search cancel

Multicast traffic fails from VM to physical destination

book

Article ID: 439567

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Administrators managing an NSX environment may experience a unidirectional multicast failure where outbound traffic from a virtual machine drops before reaching the physical underlay.

While inbound multicast streams from physical devices successfully reach the virtualized workloads, VMs cannot send multicast traffic outward.

This control plane disconnect typically occurs when physical switches are configured with IGMP Snooping but lack an active IGMP Querier to manage group memberships. Consequently, the physical Top-of-Rack switches prune or age out the ports, silencing outbound traffic. The configuration of the vSphere Distributed Switch (vDS) must also correctly process IGMP control packets to ensure host uplinks are properly registered.

For example, when sending multicast traffic from a physical workstation to a VM in a VxRail cluster using NSX 4.2.3.3, it works correctly; however, traffic from the VM to the physical workstation fails (no traffic received). Multicast traffic functions correctly when sent from physical devices to virtual machines in a VxRail/NSX cluster, but fails (no traffic received) when originating from a VM to a physical destination. 

When you send multicast traffic from a physical DT to a VM... it works correctly, however, when we send multicast traffic from VM to the physical DT it doesn’t work.

DirectionStatusContext
Physical → VM🟢 SuccessInbound traffic is forwarded by physical switches.
VM → Physical🔴 FailureVirtual switch prunes traffic due to missing IGMP Querier.

Environment

  • VMware NSX
  • VMware Cloud Foundation (VCF)

Cause

The virtual switch (vDS/NSX Segment) prunes outbound multicast traffic when it fails to detect an active IGMP Querier on the physical network.

The virtual switch requires an active IGMP Querier to maintain a list of physical receivers. Without queries, the switch assumes no listeners exist on the physical network and prunes the traffic to prevent unnecessary flooding.

Resolution

This behavior is by design for IGMP Snooping environments. To resolve, configure an active IGMP Querier. See the VMware NSX Administration Guide for architectural requirements

To resolve the outbound multicast traffic failure, network administrators must configure IGMP Snooping and an active IGMP Querier on the physical Layer 2/Layer 3 underlay devices providing connectivity to the ESXi host transport nodes.

To verify that the NSX configuration is properly established and not contributing to the issue, perform the following operational validation checks:

1. Gateway Configuration Validation (NSX Manager UI)

Tier-0 Gateway Checks:

  1. Navigate to Networking > Tier-0 Gateways.
  2. Edit the target Tier-0 Gateway.
  3. Verify the Multicast toggle is set to Enabled.
  4. Validate the Replication Multicast Range. This must be a CIDR block used in the underlay for GENEVE outer destination IPs to replicate workload/tenant multicast group addresses. Ensure this range does not overlap with actual tenant multicast group addresses.
  5. Ensure an IGMP Profile and a PIM Profile are successfully selected from the respective drop-down menus.

Tier-1 Gateway Checks:

  1. Navigate to Networking > Tier-1 Gateways.
  2. Edit the target Tier-1 Gateway.
  3. Verify the Tier-1 Gateway is explicitly linked to the multicast-enabled Tier-0 Gateway.
  4. Verify an Edge Cluster is selected for the Tier-1 Gateway (required for multicast services).
  5. Verify the Multicast toggle is set to Enabled.

2. NSX Segment Verification

Verify the MAC Discovery segment profile applied to your multicast-enabled segments has IGMP Snooping enabled:

  1. Navigate to Networking > Connectivity > Segments.
  2. Locate the specific segment to which your virtual machine is attached.
  3. Click the vertical ellipses (three dots) next to the segment name and select Edit.
  4. Expand the Segment Profiles section and note the exact name of the profile currently assigned in the MAC Discovery drop-down menu.
  5. Navigate to Networking > Settings > Segment Profiles and select the MAC Discovery tab.
  6. Locate the assigned profile. Click the vertical ellipses next to the profile and select Edit (or View if it is a system-defined, read-only profile).
  7. Verify the IGMP Snooping toggle is set to Enabled. If IGMP Snooping is disabled, create a new MAC Discovery profile with IGMP Snooping enabled and apply it to the segment, or modify the existing custom profile.

3. Physical Underlay Validation

Verify that the physical Top of Rack (ToR) Layer 2 switches connected to the ESXi host transport nodes are properly configured:

  1. IGMP Snooping State Validation: The Layer 2 domain must be actively snooping IGMP traffic to build multicast forwarding tables.
  2. IGMP Querier Election Validation: An IGMP Querier must be active on the physical router or Layer 3 switch providing connectivity to those VLANs.
  3. Multicast Router Port Validation: The physical switch must correctly identify the ports connected to upstream multicast routers to forward traffic appropriately.

 

Additional Information

For further information regarding multicast routing and segment profiles, refer to the VMware NSX Administration Guide.

For instructions on how to perform packet captures in NSX, refer to KB 345925 Troubleshooting NSX using Packet Captures

Powered by Wolken Software