I have a couple of customers complaints regarding DNAT rules that functioned flawlessly in NSX-V but ceased to work after migrating to NSX-T. Upon conducting packet inspections, it becomes evident that packets flow from the virtual machine to the physical environment and are subsequently returned by the physical environment to the virtual machine. However, despite this return path, the packets never reach the virtual machine.
DNAT operates when traffic flows from the virtual machine to the physical IP, but it fails to perform reverse translation for the return traffic. Consequently, the return traffic reaching the virtual machine has the externally natted IP, causing the virtual machine to drop the Syn-Ack packets as they are not intended for it. As a result, communication cannot occur.
To enable this behavior, "Double Inspection" methodology is needed on the NSX-T edge, which is not enabled by default. VMware has it documented under the KB 85453
Workaround
To test the double inspection configuration before making it persistent, apply the following approach:
- On NSX-T Edge where the double inspection is to be configured, enter the T1 VRF context where DNAT is configured
- nsx-edge> get logical-router
- nsx-edge> vrf 1
- Once inside VRF, get the Uplink interface UUID
- nsx-edge> get firewall interfaces
- Exit VRF context and modify one_state_opt firewall param value to 0
- nsx-edge> set firewall e248def8-4d7d-4b79-bc9d-87502011e382 param one_state_opt value 0
Proceed with infrastructure tests and make sure DNAT is working accordingly, after that make the change persist across reboots and NSX maintenance mode using VMware NSX-T API as documented on KB85453
