You can verify the load balancer configuration through the vSphere Web Client. You can use the UI to do some load balancer troubleshooting.

Problem

Load balancer is not working as expected.

Solution

After understanding what should be functioning and defining a problem, verify the configuration through the UI as follows.

Prerequisites

Note down the following details:

  • The IP, protocol, and port of the virtual server.

  • The IP, and port of the backend application servers.

  • The topology that was intended - inline or one-armed. For details, refer to the Logical Load Balancer topic in NSX Administration Guide.

  • Verify the trace route and use other network connectivity tools to see that the packets are going to the correct location (edge services gateway).

  • Verify any upstream firewalls are allowing the traffic correctly.

  • Define the problem that you are facing. For example, DNS records for the virtual server are correct, but you are not getting back any content, or incorrect content, and so on.

Procedure

  1. Verify the following application requirements - Protocols required to be supported on the load balancer (TCP, UDP, HTTP, HTTPs), ports, persistence requirements, and pool members.
    • Is the load balancer and firewall enabled and does the edge services gateway have proper routes?

    • What IP address, port and protocol should the virtual server be listening to?

    • Is SSL offload being used? Do you need to use SSL when communicating with the backend servers?

    • Are you using application rules?

    • What is the topology? The NSX load balancer needs to parse all the traffic from the client and the server.

    • Is the NSX load balancer inline or is the client source address translated to ensure return traffic travels back to the load balancer?

  2. Navigate to the NSX Edge, and verify the configurations that are required to enable load balancing and allow traffic to flow as follows:
    1. Verify the load balancer is listed as Up.

    2. Verify the firewall is Enabled. The firewall MUST be enabled for accelerated virtual servers. Non Accelerated TCP and L7 HTTP/HTTPS VIPs must have a policy that allows traffic. Note that the firewall filters will not impact accelerated virtual servers.

    3. Verify that the NAT rules are created for the virtual server. On the NAT tab, click the Hide internal rules or Unhide internal rules link to verify.
      Note:

      If you have load balancing enabled and services configured, but have not configured any NAT rules, it means that the auto rule configuration was not enabled.

    4. You can change the auto rule configurations. For details, refer to Change Auto Rule Configuration topic in the NSX Administration Guide. When an NSX edge services gateway is deployed, you have the option to configure auto rule configuration. If this option was not selected while deploying the edge services gateway, you must enable it for the load balancer to function correctly. Check the pool member status through the UI.

    5. Verify routing, and verify that the edge services gateway has a default route or a static route to your client systems and the backend servers. If there is no route to the servers, health check will not pass. If you are using a dynamic routing protocol you may have to use the CLI. For more information, refer to NSX Routing CLI.
    1. Verify default route.

    2. Verify connected routes. These are the routes on which the edge services gateway has an interface in the subnet. Many times the application servers are connected to these servers.

    3. Verify static routes from the Routing tab > Static Routes.
  3. Verify the IP address, port and protocol of the virtual server.
    1. Double-click an NSX Edge and navigate to Manage > Settings> Interfaces. Verify that IP address for the virtual server is added to an interface.

    2. Verify the virtual server has the proper IP address, port(s) and protocols configured to support the application.
    1. Verify the application profile used by the virtual server.

    2. Verify the IP address, protocol and port of the virtual server. Note your protocol (HTTP or HTTPS) on the virtual server.

    3. Verify the application profile meets the persistent method supported, type (protocol), and SSL (if necessary). If using SSL, ensure you are using a certificate with the correct name and expiration date.

    4. Verify if the correct certificate is used for the clients to connect.

    5. Verify if you require a client certificate, but the clients are not configured. Also, verify if you have selected a narrow cipher list that is too narrow (for example, are clients using older browsers).

    6. Verify if you need SSL to the backend servers.

  4. Check the pool status and configuration as follows:
    1. Verify the pool status, at least one member must be up to serve traffic, but one member may not be enough to serve all the traffic. If zero, or a limited member of pool members are up, try to rectify the problem as described in next steps.

    2. Verify if the topology is correct. SNAT client traffic is controlled in the pool configuration. If the edge services gateway hosting the load balancer function is not inline to see all the traffic, then it will fail. To preserve the IP of the client source, select the Transparent mode. For information, refer to theNSX Administration Guide.

  5. If you are using application rules, verify the rules. Remove the rules if necessary to see if traffic flows.
    1. Reorder the rules to see if the order of the rules is causing the logic to interrupt the traffic flow. For information on how to add an application rule and view application rule examples, see the Add an Application Rule topic in NSX Administration Guide.

What to do next

If you could not find the problem, you may need to use the CLI (Command Line Interface) to find out what is happening. For more information, refer to Load Balancer Troubleshooting Using the CLI.