Recently I deployed an NSX L2VPN to address some needs at a customer prior to a data center migration when we hit the wall… its not passing traffic.
I knew we had the L2VPN configured properly because we see the L2VPN statistics show the Tunnel Status as up.
Well it turns out this is fairly common as most people (me included) forget to add the SYNC port in the source (client VPN) vSphere Distributed Switch (vDS). To resolve this you need to do one of the following…
- Enable a Sync port on the DVPort ID associated with the edge trunk vNIC (most often eth1). To do this ssh to an ESXi host in the cluster that contains the standalone NSX L2VPN client workload. Issue the command esxcfg-vswitch -l to find the name of the switch and the dvport to use when you issue the enablesink command… net-dvs –enableSink 1 -p DVPortID vDSSwitchname
- Enable promiscuous mode on the trunk Distributed Port Group. Most know how to do this already via the web client or the good old vSphere Client.
- Create the trunk port group on a vSphere Standard Switch (vSS) instead of a vSphere Distributed Switch (vDS) and Enable promiscuous mode.
NOTE: Using promiscuous mode can cause duplicate pings and duplicate responses. For this reason, we recommend using sink port mode in the L2 VPN standalone NSX Edge configuration.
So in our case we were on a vSphere Distributed Switch (vDS) (vCenter 5.0, vSphere 5.0 hosts and a vSphere 4.1 vDS). It turns our the vSphere 5.0 hosts don’t have the option to add a SYNC port. When running the net-dvs –enableSink command we get back the error “unrecognized option.
So, no worries right, we just use option 2 and enable promiscuous mode on the trunk Distributed Port Group.
Dang it… still not working. So I had and idea… this vDS is like older than dirt and I should update it to see what happens, its only production right and we simply did not have the resources to use option 3. After the update to version 5.0.0 on the vDS and a quick open and save on the Distributed Port Group we finally have L2VPN working.