ESXi Hosts Cannot Communicate Due to Inter-VLAN Routing
Article ID: 442773
Updated On:
Products
Issue/Introduction
- ESX hosts fail to communicate with the traffic from another VLAN
- May impact vCenter and host communicationsICMP (ping) and port connectivity checks (TCP 443, 902) fail between the vCenter and ESXi hosts.
- Packet captures show traffic leaving the vCenter but not receiving a response from the destination host.
- Hosts cannot join vCenter Server
Cause
This issue is caused by a misconfiguration in the physical network's Layer 3 (L3) routing or VLAN tagging.
Analysis of packet captures (using pktcap-uw) reveals that traffic originating from the source VLAN "A" arrives at the destination ESX host still tagged with the source VLAN ID instead of being correctly routed and retagged to the destination management VLAN "B". Because the destination host is configured to listen only on its management VLAN "B", it ignores or drops the improperly tagged packets at the Virtual Distributed/Standard switch.
Resolution
To resolve this issue, the physical network environment must be adjusted to ensure correct inter-VLAN routing and tagging.
- Verify Inter-VLAN Routing
- Coordinate with your Network Administration team to verify the L3 routing configuration between the vCenter management subnet (Source VLAN) and the ESXi management subnet (Destination VLAN).
- Ensure that the gateway is correctly routing traffic and performing the necessary VLAN retagging.
- Confirm that no Access Control Lists (ACLs) or firewall rules are dropping traffic on ports 443 (HTTPS) and 902 (vCenter-to-Host management).
- Coordinate with your Network Administration team to verify the L3 routing configuration between the vCenter management subnet (Source VLAN) and the ESXi management subnet (Destination VLAN).
- Validate Physical Switch Port Configuration
- Verify that the physical switch ports (e.g., Cisco UCS Fabric Interconnects or Top-of-Rack switches) are configured as trunk ports and correctly allow the required Management VLANs.
- Perform Packet Captures on ESX
- Use the following command on the destination ESX host to verify if the packets are arriving with the correct VLAN tag:
Capture Example:
pktcap-uw --uplink vmnicX --capture UplinkSndKernel,UplinkRcvKernel --vlan [Expected_VLAN_ID] -o - | tcpdump-uw -enr -
NOTE:
- Replace vmnicX with your active management uplink and [Expected_VLAN_ID] with your management VLAN
- This is merely an example of a capture, please reference KB Packet capture on ESXi using the pktcap-uw tool for more detailed examples and capture explanations
Additional Information
Feedback
