This topic discusses common configuration issues related to L2 VPN.

In the following procedure:
  • Steps 1, 2, and 3 are applicable only when the L2 VPN service is running on an SSL tunnel.
  • Steps 4, 5, and 6 are applicable when the L2 VPN service is running on both SSL and IPSec tunnels.

Problem

Following configuration issues are specific to L2 VPN clients that use SSL VPN tunnels for routing traffic:
  • L2 VPN client is configured, but Internet-facing firewall does not allow traffic to flow through the tunnel using destination port 443.
  • L2 VPN client is configured to validate server certificate, but it is not configured with correct CA certificate or FQDN.
Following configuration issues are common to L2 VPN clients that use either SSL VPN tunnels or IPSec VPN tunnels for routing traffic:
  • L2 VPN server is configured, but NAT or firewall rule is not created on the Internet-facing firewall.
  • Trunk interface is not backed by either a distributed port group or a standard port group.
Note: For L2 VPN running on SSL tunnels, remember that:
  • L2 VPN server listens on port 443 by default. This port is configurable from L2 VPN server settings.
  • L2 VPN client makes an outgoing connection to port 443 by default. This port is configurable from the L2 VPN client settings.

Solution

  1. Check whether the L2 VPN server process is running.
    1. Log in to NSX Edge VM.
    2. Run the show process monitor command, and verify if you can find a process with name l2vpn.
    3. Run the show service network-connections command, and verify if l2vpn process is listening on port 443.
  2. Check whether the L2 VPN client process is running.
    1. Log in to NSX Edge VM.
    2. Run the show process monitor command, and verify if you can find a process with name naclientd.
    3. Run the show service network-connections command, and verify if naclientd process is listening on port 443.
  3. Check whether the L2 VPN server is accessible from the Internet.
    1. Open browser, and visit https://<l2vpn-public-ip>.
    2. A portal login page must be displayed. If the portal page is displayed, it means that L2 VPN server is reachable over the Internet.
  4. Check whether the trunk interface is backed by a distributed port group or a standard port group.
    1. If the trunk interface is backed by a distributed port group, a sink port is automatically set.
    2. If the trunk interface is backed by a standard port group, you must manually configure the vSphere Distributed Switch as follows:
    • Set the port to promiscuous mode.
    • Set the Forged Transmits to Accept.
  5. Mitigate the L2 VPN looping issue.
    1. Two major issues are observed when NIC teaming is not configured correctly — MAC flapping, and duplicate packets. Verify configuration as described in L2VPN Options to Mitigate Looping.
  6. Check whether VMs across L2 VPN can communicate with each other.
    1. Log in to L2 VPN server CLI, and capture packet on the corresponding tap interface debug packet capture interface name.
    2. Log in to L2 VPN client, and capture packet on the corresponding tap interface debug packet capture interface name
    3. Analyze these captures to check if ARP is getting resolved and data traffic flow.
    4. Check if Allow Forged Transmits: dvSwitch property is set to L2 VPN trunk port.
    5. Check if sink port is set to L2 VPN trunk port. To do so, log in to host and issue command net-dvs -l. Check the sink property set for the L2 VPN edge internal port (com.vmware.etherswitch.port.extraEthFRP = SINK). Internal port refers to the dvPort where the NSX Edge trunk is connected to.
    The command output shows that the sink port is enabled for the dvPort where the Edge trunk interface is connected to.