Uncategorized

Troubleshooting NSX

- by Daniel Fredrick - Leave a Comment

NSX Troubleshooting

Troubleshooting DFW

Use Loginsight to verify rules are being dropped

  • Connect to lan-pw-ts01 or lan-pw-ts02 via RDP
  • Open web browser and go to: https://loginsight.zsp.sas.com/
  • Make sure “Active directory” is select not “local (built-in)”
  • Username will be your ZSP ID like: dazfre
  • Password is your zeus password
  • Hit login
  • Interactive Analysis at the top.
  • Click “add filter”
  • Then type “src” and select “vmw_nsx_firewall_src”
    • Contains
    • Then the IP address you are troubleshooting
  • Click “add filter”
  • Then type “action” and select “vmw_nsx_firewall_action”
    • Contains
    • “drop”

  • This will show you what is being dropped.
  • If you don’t see it’s dropped… continue… to the next section

How to see what rules are applied

  • SSH to ESXi host where VM is located
    • Username is Root
    • And use the VCS admin password
  • Find the filter name on slot2 for the VM
    • summarize-dvfilter | grep -A2 ‘{vmname}’
    • copy the name: for slot 2
  • to see the rules
    • vsipioctl getrules -f {filter Name:}

Example:

[root@shqzspesx01d:~] summarize-dvfilter | grep -A2 ‘itdba-pw-ts01′

world 181522 vmm0:itdba-pw-ts01 vcUuid:’50 2f 99 9b a6 69 8b b0-4e d3 6e 37 8e 8 a 18 3e’

port 50331680 itdba-pw-ts01.eth0

vNic slot 2

name: nic-181522-eth0-vmware-sfw.2

[root@shqzspesx01d:~] vsipioctl getrules -f nic-181522-eth0-vmware-sfw.2

[root@shqzspesx01d:~] vsipioctl getrules -f nic-181522-eth0-vmware-sfw.2 | grep 170

rule 1107 at 33 inout protocol tcp from addrset ip-securitygroup-171 to addrset ip-securitygroup-170 port 1433 accept with log;

rule 1106 at 34 inout protocol tcp from addrset ip-securitygroup-169 to addrset ip-securitygroup-170 port 5022 accept with log;

rule 1106 at 35 inout protocol tcp from addrset ip-securitygroup-169 to addrset ip-securitygroup-170 port 3389 accept with log;

rule 1106 at 36 inout protocol tcp from addrset ip-securitygroup-169 to addrset ip-securitygroup-170 port 5985 accept with log;

rule 1106 at 37 inout protocol tcp from addrset ip-securitygroup-169 to addrset ip-securitygroup-170 port 1433 accept with log;

rule 1104 at 157 inout protocol tcp from addrset ip-securitygroup-170 to addrset ip-securitygroup-41 port 22 accept with log;

rule 1104 at 158 inout protocol tcp from addrset ip-securitygroup-170 to addrset ip-securitygroup-41 port 443 accept with log;

rule 1052 at 170 inout protocol tcp from addrset ip-securitygroup-89 to addrset ip-securitygroup-28 port 9443 accept with log;

 

About Daniel Fredrick

Technology enthusiast, Programmer, Network Engineer CCIE# 17094

View all posts by Daniel Fredrick →

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.