NSX does not allow the configuration of NAT (DNAT or SNAT) with an IP address from a Segment connected to a T1-DR
search cancel

NSX does not allow the configuration of NAT (DNAT or SNAT) with an IP address from a Segment connected to a T1-DR

book

Article ID: 432539

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • The user attempted to configure DNAT rules for a Tier1 Gateway.

  • For the DNAT rule, the Destination IP and Port are set to an IP address within the segment range under the Tier1 Gateway.

  • When the Save button is clicked, the UI reports the following error, and the creation of the DNAT rule fails.
    Error: Address <DestinationIP> overlaps with Segment <SegmentName> that has subnet <Tier1GatewayCIDR>. (Error code: 500105)


  • The following logs are output to /var/log/proton/nsxapi.log on the NSX Manager.
    YYYY-MM-DDTHH:MM:SS.NNNZ ERROR http-nio-127.0.0.1-7440-exec-## IpAddressConstraintChecker #### POLICY [nsx@#### comp="nsx-manager" errorCode="PM500105" level="ERROR" reqId="<UUID>" subcomp="manager" username="admin"] IP address <DestinationIP> overlaps with entity Segment (/infra/segments/<SegmentName>) that has subnet <Tier1GatewayCIDR>.

    YYYY-MM-DDTHH:MM:SS.NNNZ  INFO http-nio-127.0.0.1-7440-exec-## NsxBaseRestController #### SYSTEM [nsx@#### comp="nsx-manager" level="INFO" subcomp="manager"] Error in API /nsxapi/api/v1/infra/tier-1s/<Tier1GatewayName>/nat/USER/nat-rules/DNAT caused by exception com.vmware.nsx.management.common.exceptions.InvalidArgumentException:  {"moduleName":"Policy","errorCode":500105,"errorMessage":"Address <DestinationIP> overlaps with Segment path=[/infra/segments/<SegmentName>] that has subnet <Tier1GatewayCIDR>."}

    YYYY-MM-DDTHH:MM:SS.NNNZ  INFO http-nio-127.0.0.1-7440-exec-## NsxBaseRestController #### SYSTEM [nsx@#### audit="true" comp="nsx-manager" level="INFO" subcomp="manager"] UserName:'admin' ModuleName:'Policy' Operation:'PUT@/api/v1/infra/tier-1s/<Tier1GatewayName>/nat/USER/nat-rules/DNAT' Operation status: 'failure' Error: Address <DestinationIP> overlaps with Segment path=[/infra/segments/<SegmentName>] that has subnet <Tier1GatewayCIDR>.

Environment

VMware NSX

Resolution

It is expected behavior.
NSX does not allow the configuration of NAT (DNAT or SNAT) with an IP address from a Segment connected to a T1-DR.

Note:
A workaround is to have that subnet (Overlay or VLAN) connected to a T1 Service Interface.

Powered by Wolken Software