Within configuring NSX Edge for either client or server, a trunk interface must be backed by either a distributed port group or a standard port group.

Problem

Following are common configuration issues:

  • The L2 VPN client is configured, but internet facing firewall does not allow traffic to flow out from L2 VPN Edge to internet (destination port 443).

  • L2 VPN client is configured to validate server certificate, but it is not configured with correct CA certificate or FQDN.

  • L2 VPN server is configured, but NAT / firewall rule is not created on internet facing firewall.

  • Trunk interface is not backed by either a distributed port group or a standard port group.

Note:

L2 VPN server listens on port 443 by default. This port is configurable from L2 VPN server settings.

L2 VPN client makes an outgoing connection to port 443 by default. This port is configurable from L2 VPN server settings.

Procedure

  1. Check if L2 VPN server process is running.
    1. Login via CLI to NSX Edge.
    2. Run the show process monitor command, and verify if you can find a process with name l2vpn.
    3. Run the show service network-connections command, and verify if l2vpn process is listening on port 443.
  2. Check if L2 VPN client process is running.
    1. Login via CLI to NSX Edge.
    2. Run the show process monitor command, and verify if you can find a process with name naclientd.
    3. Run the show service network-connections command, and verify if naclientd process is listening on port 443.
  3. Check if L2 VPN server is accessible from internet.
    1. Open browser, and visit https://<l2vpn-public-ip>.
    2. A portal login page should be displayed. If portal page is displayed, it means that L2 VPN server is reachable over internet.
  4. Check if trunk interface is backed by a distributed port group or a standard port group.
    1. If the trunk interface is backed by a distributed port group, a sink port is automatically set.
    2. If the trunk interface is backed by a standard port group, you should manually configure the vSphere Distributed Switch as follows:
    • Set the port to promiscuous mode.

    • Set the Forged Transmits to Accept.

  5. Mitigate L2 VPN looping issue.
    1. Two major issues are observed if NIC teaming is not configured correctly — MAC flapping, and duplicate packets. Verify configuration as described in L2VPN Options to Mitigate Looping.
  6. Check if VMs across L2 VPN can communicate with each other.
    1. Log in to L2 VPN server CLI, and capture packet on the corresponding tap interface debug packet capture interface name.
    2. Log in to L2 VPN client, and capture packet capture on the corresponding tap interface debug packet capture interface name
    3. Analyze these captures to check if ARP is getting resolved and data traffic flow.
    4. Check if Allow Forged Transmits: dvSwitch property is set to L2 VPN trunk port.
    5. Check if sink port is set to L2 VPN trunk port. To do so, log in to host and issue command net-dvs -l. Check for sink property set for L2 VPN edge internal port (com.vmware.etherswitch.port.extraEthFRP = SINK). Internal port refers to the dvPort where the NSX Edge trunk is connected to.