The L2 VPN tunnel between the server and client is up, but data is not flowing through the tunnel.

The steps in the following procedure apply to L2 VPN service using both SSL tunnels and IPSec tunnels.

Problem

Connectivity issues exist in the data path between the L2 VPN server and the L2 VPN client.

Cause

Data traffic might not flow in the L2 VPN tunnel due to one of the following reasons:
  • The tunnel ID on the standalone L2 VPN client does not match with the tunnel ID that is configured on the L2 VPN server.
  • The trunk port on the distributed switch does not have the vNIC interface assigned to connect with the standalone L2 VPN Edge virtual appliance.
  • The VLAN range in the trunk port group on the distributed switch of the standalone L2 VPN Edge does not contain the VLAN ID that is configured in the uplink interface of the VM.
  • Sink might not be enabled on the port number of the trunk interface that connects to the standalone L2 VPN Edge appliance.

Solution

  1. To verify whether the tunnel ID on the L2 VPN client matches with the tunnel ID on the L2 VPN server, log in to the CLI of the standalone L2 VPN appliance. Run the show service l2vpn conversion-table command.
  2. To verify whether the trunk port on the distributed switch is assigned a vNIC interface to connect with the standalone L2 VPN Edge appliance, perform these steps in the vSphere Web Client.
    1. Click Hosts and Clusters.
    2. Right-click the standalone L2 VPN Edge, and click Edit Settings.
    3. Make sure that you are on the Virtual Hardware tab page.
    4. In the Network adapter 2 drop-down menu, ensure that the trunk port on the distributed switch is selected, and the Connected check box is selected.
  3. To check the VLAN trunk range on the trunk port group of the distributed switch, perform these steps in the vSphere Web Client.
    1. Click Hosts and Clusters.
    2. Click the Networking tab.
    3. Right-click the trunk port group of the distributed switch, and click Edit Settings.
    4. Open the VLAN page.
    5. Make sure that the VLAN range in the trunk port group contains the VLAN ID that you specified in the uplink port of the VM from where the data traffic originates.
      Note: You must preferably have a dedicated port group on the distributed switch that is configured for VLAN trunking so that it can be connected to the Edge appliance.
  4. To verify whether sink is enabled on the port number of the trunk port group that connects to the standalone L2 VPN Edge appliance, perform these steps in the vSphere Web Client.
    1. Click Hosts and Clusters.
    2. Click the Networking tab.
    3. Click the trunk port group of the distributed switch, and then click the Ports tab.
    4. Find the port number or port ID that is connected to the standalone L2 VPN appliance.
    5. Log in to the CLI of the ESXi host where the standalone L2 VPN client is deployed, and run the following command to check if sink is enabled on this port number:
      net-dvs -l | grep "port\ [0-9]\|SINK\|com.vmware.common.alias"
      For example, if sink is enabled on port 30, the CLI on the ESXi host shows the following output: 
      port 30:com.vmware.etherswitch.port.extraEthFRP =   SINK