Troubleshoot Network Address Translation (NAT) service issues in NSX
To troubleshoot NAT issues, you will first want to ensure the configuration is correct. You can either navigate to Networking & Security -> NSX Edges -> and double click the edge device that is performing the NAT, then navigate to Manage -> NAT.
You can also view more detailed information, which includes packet information by logging into the Edge device via SSH and running the following command.
vShield-edge-3-0> show nat Use of uninitialized value $chain in concatenation (.) or string at /opt/vmware/vshield/cli/ptrace.pl line 121. Chain PREROUTING (policy ACCEPT 1 packets, 78 bytes) rid pkts bytes target prot opt in out source destination 0 1 78 int_dnat all -- * * 0.0.0.0/0 0.0.0.0/0 0 1 78 usr_dnat all -- * * 0.0.0.0/0 0.0.0.0/0 Chain INPUT (policy ACCEPT 1 packets, 78 bytes) rid pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 56 packets, 3640 bytes) rid pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 56 packets, 3640 bytes) rid pkts bytes target prot opt in out source destination 0 56 3640 int_snat all -- * * 0.0.0.0/0 0.0.0.0/0 0 56 3640 usr_snat all -- * * 0.0.0.0/0 0.0.0.0/0 Chain int_dnat (1 references) rid pkts bytes target prot opt in out source destination Chain int_snat (1 references) rid pkts bytes target prot opt in out source destination 0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec mode tunnel Chain usr_dnat (1 references) rid pkts bytes target prot opt in out source destination 0 0 0 LOG all -- vNic_0 * 0.0.0.0/0 192.168.18.50 LOG flags 0 level 4 prefix "DNAT_" 0 0 0 DNAT all -- vNic_0 * 0.0.0.0/0 192.168.18.50 to:172.16.10.50 Chain usr_snat (1 references) rid pkts bytes target prot opt in out source destination 0 0 0 LOG all -- * vNic_0 172.16.10.50 0.0.0.0/0 LOG flags 0 level 4 prefix "SNAT_" 0 0 0 SNAT all -- * vNic_0 172.16.10.50 0.0.0.0/0 to:192.168.10.50
You can also view the rules by running the following command. As you can see, I have two rules, one is a DNAT and one is a SNAT.
vShield Edge NAT Config:
{
"dnat" : [
{
"protocol" : "any",
"internalIp" : "172.16.10.50",
"externalPort" : "any",
"comments" : "",
"ruleId" : 196611,
"icmpType" : null,
"internalPort" : "any",
"logging" : {
"enable" : true,
"logLevel" : null
},
"interface" : "vNic_0",
"externalIp" : "192.168.18.50"
}
],
"snat" : [
{
"protocol" : "any",
"internalIp" : "172.16.10.50",
"externalPort" : "any",
"comments" : "",
"ruleId" : 196612,
"icmpType" : null,
"internalPort" : "any",
"logging" : {
"enable" : true,
"logLevel" : null
},
"interface" : "vNic_0",
"externalIp" : "192.168.10.50"
}
]
}
If your rule looks correct, there could be some type of firewall that is blocking this. You can always run packet capture commands to see if the rules are being translated on the interface. To run a packet capture, run the command below. You should see something similar. It will dump all of the traffic and you can look for your NAT IPs to see if it’s working correctly.
vShield-edge-3-0> debug packet display interface vNic_0 tcpdump: listening on vNic_0, link-type EN10MB (Ethernet), capture size 65535 bytes 19:05:44.649379 IP 192.168.100.3.22 > 192.168.110.10.58837: Flags [P.], seq 22807552:22807732, ack 107745, win 3165, length 180 19:05:44.649471 IP 192.168.100.3.22 > 192.168.110.10.58837: Flags [P.], seq 22807732:22807912, ack 107745, win 3165, length 180 19:05:44.649506 IP 192.168.100.3.22 > 192.168.110.10.58837: Flags [P.], seq 22807912:22808092, ack 107745, win 3165, length 180 19:05:44.649575 IP 192.168.100.3.22 > 192.168.110.10.58837: Flags [P.], seq 22808092:22808272, ack 107745, win 3165, length 180 19:05:44.649681 IP 192.168.100.3.22 > 192.168.110.10.58837: Flags [P.], seq 22808272:22808452, ack 107745, win 3165, length 180
Finally, you can enable logging by navigating to Networking & Security -> NSX Edges -> and double click the Edge device with the NAT. From there select Manage -> NAT, edit the rule, and ensure that Enable logging is configured.
Then you can run the command at the bottom to view the logging information, here you can see my NAT rules changing and being defined.
vShield-edge-3-0> show log 2015-05-27T18:40:19+00:00 vShield-edge-3-0 config: [daemon.info] INFO :: FEATURE_MGR :: snat changed 2015-05-27T18:40:19+00:00 vShield-edge-3-0 config: [daemon.info] INFO :: FEATURE_MGR :: collect output of snat... 2015-05-27T18:40:19+00:00 vShield-edge-3-0 config: [daemon.info] INFO :: FEATURE_MGR :: dnat changed 2015-05-27T18:40:19+00:00 vShield-edge-3-0 config: [daemon.info] INFO :: FEATURE_MGR :: collect output of dnat... 2015-05-27T18:40:19+00:00 vShield-edge-3-0 config: [daemon.info] INFO :: RESOURCE_MGR :: loaded resource data from /var/db/vmware/vshield/vse_two/resource_save.psf 2015-05-27T18:40:19+00:00 vShield-edge-3-0 config: [daemon.info] INFO :: RESOURCE_MGR :: ========================= RESOURCE MGR ========================= 2015-05-27T18:40:19+00:00 vShield-edge-3-0 config: [daemon.info] INFO :: RESOURCE_MGR :: nat changed 2015-05-27T18:40:19+00:00 vShield-edge-3-0 config: [daemon.info] INFO :: RESOURCE_MGR :: snat->nat:add_u_snat 2015-05-27T18:40:19+00:00 vShield-edge-3-0 config: [daemon.info] INFO :: RESOURCE_MGR :: dnat->nat:add_u_dnat 2015-05-27T18:40:19+00:00 vShield-edge-3-0 config: [daemon.info] INFO :: R_NAT :: snat:add_u_snat: add 1 rules 2015-05-27T18:40:19+00:00 vShield-edge-3-0 config: [daemon.info] INFO :: R_NAT :: dnat:add_u_dnat: add 1 rules 2015-05-27T18:40:19+00:00 vShield-edge-3-0 config: [daemon.info] INFO :: R_NAT :: created 1 user_defined dnat rules 2015-05-27T18:40:19+00:00 vShield-edge-3-0 config: [daemon.info] INFO :: R_NAT :: created 1 user_defined snat rules 2015-05-27T18:40:19+00:00 vShield-edge-3-0 config: [daemon.info] INFO :: R_NAT :: created 0 loadbalancer snat rules
1 Comment
What is the command related to the second gray block? Would it be “show configuration nat”?