VXLAN overlay broken on VMware/NSX: hypervisor silently drops valid VXLAN packets on UDP 8472

<html>
<body>
<section id="markdown-section-52fe5c5e-9618-46d4-ba59-db9cd81cc895-20" class="markdown-section chat-fade-in" data-markdown-raw="
**Environment:**
- RKE2 with Canal CNI (Flannel VXLAN + Calico)
- VMware vCloud Director with NSX-backed networking
- Nodes across multiple AZs on different L3 subnets (10.6.10.0/24 and 10.10.175.0/24)
- Flannel VXLAN: VNI 1, UDP 8472, MTU 1450" data-section-index="20" style="border-radius: 4px; line-height: 19.5px; margin: 6px 0px; position: relative; scroll-margin-bottom: 40px; scroll-margin-top: 40px; color: rgb(218, 218, 218); font-family: &quot;Segoe WPC&quot;, &quot;Segoe UI&quot;, sans-serif; font-size: 13px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: rgb(37, 37, 38); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">Environment:<ul style="animation: 0.25s ease 0s 1 normal none running fade-in; margin: 0px 0px 0px 16px; padding: 0px;"><li data-indent="0" style="animation: 0.25s ease 0s 1 normal none running fade-in; margin-bottom: 2px !important; margin-top: 2px !important; margin-left: 0px; padding-top: 2px; padding-bottom: 2px; list-style-type: disc;">RKE2 with Canal CNI (Flannel VXLAN + Calico)</li></ul><ul style="animation: 0.25s ease 0s 1 normal none running fade-in; margin: 0px 0px 0px 16px; padding: 0px;"><li data-indent="0" style="animation: 0.25s ease 0s 1 normal none running fade-in; margin-bottom: 2px !important; margin-top: 2px !important; margin-left: 0px; padding-top: 2px; padding-bottom: 2px; list-style-type: disc;">VMware vCloud Director with NSX-backed networking</li></ul><ul style="animation: 0.25s ease 0s 1 normal none running fade-in; margin: 0px 0px 0px 16px; padding: 0px;"><li data-indent="0" style="animation: 0.25s ease 0s 1 normal none running fade-in; margin-bottom: 2px !important; margin-top: 2px !important; margin-left: 0px; padding-top: 2px; padding-bottom: 2px; list-style-type: disc;">Nodes across multiple AZs on different L3 subnets (10.6.10.0/24 and 10.10.175.0/24)</li></ul><ul style="animation: 0.25s ease 0s 1 normal none running fade-in; margin: 0px 0px 0px 16px; padding: 0px;"><li data-indent="0" style="animation: 0.25s ease 0s 1 normal none running fade-in; margin-bottom: 2px !important; margin-top: 2px !important; margin-left: 0px; padding-top: 2px; padding-bottom: 2px; list-style-type: disc;">Flannel VXLAN: VNI 1, UDP 8472, MTU 1450</li></ul></section><section id="markdown-section-52fe5c5e-9618-46d4-ba59-db9cd81cc895-22" class="markdown-section chat-fade-in" data-markdown-raw="
**Problem:**" data-section-index="22" style="border-radius: 4px; line-height: 19.5px; margin: 6px 0px; position: relative; scroll-margin-bottom: 40px; scroll-margin-top: 40px; color: rgb(218, 218, 218); font-family: &quot;Segoe WPC&quot;, &quot;Segoe UI&quot;, sans-serif; font-size: 13px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: rgb(37, 37, 38); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">Problem:</section><section id="markdown-section-52fe5c5e-9618-46d4-ba59-db9cd81cc895-24" class="markdown-section chat-fade-in" data-markdown-raw="
Pod-to-pod communication fails between nodes on different subnets. The Flannel VXLAN data plane appears fully configured (FDB entries, ARP, routes all correct), but encapsulated packets never reach the destination node." data-section-index="24" style="border-radius: 4px; line-height: 19.5px; margin: 6px 0px; position: relative; scroll-margin-bottom: 40px; scroll-margin-top: 40px; color: rgb(218, 218, 218); font-family: &quot;Segoe WPC&quot;, &quot;Segoe UI&quot;, sans-serif; font-size: 13px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: rgb(37, 37, 38); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">Pod-to-pod communication fails between nodes on different subnets. The Flannel VXLAN data plane appears fully configured (FDB entries, ARP, routes all correct), but encapsulated packets never reach the destination node.</section><section id="markdown-section-52fe5c5e-9618-46d4-ba59-db9cd81cc895-26" class="markdown-section chat-fade-in" data-markdown-raw="
**Diagnosis:**" data-section-index="26" style="border-radius: 4px; line-height: 19.5px; margin: 6px 0px; position: relative; scroll-margin-bottom: 40px; scroll-margin-top: 40px; color: rgb(218, 218, 218); font-family: &quot;Segoe WPC&quot;, &quot;Segoe UI&quot;, sans-serif; font-size: 13px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: rgb(37, 37, 38); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">Diagnosis:</section><section id="markdown-section-52fe5c5e-9618-46d4-ba59-db9cd81cc895-28" class="markdown-section chat-fade-in" data-markdown-raw="
All standard checks passed:
- FDB, ARP/neighbor tables, routes: correct on all nodes
- rp_filter: loose mode (2)
- UDP 8472 listening on all nodes
- ICMP at MTU 1450 between nodes: 0% loss
- Generic UDP (socat) between nodes: works bidirectionally" data-section-index="28" style="border-radius: 4px; line-height: 19.5px; margin: 6px 0px; position: relative; scroll-margin-bottom: 40px; scroll-margin-top: 40px; color: rgb(218, 218, 218); font-family: &quot;Segoe WPC&quot;, &quot;Segoe UI&quot;, sans-serif; font-size: 13px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: rgb(37, 37, 38); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">All standard checks passed:<ul style="animation: 0.25s ease 0s 1 normal none running fade-in; margin: 0px 0px 0px 16px; padding: 0px;"><li data-indent="0" style="animation: 0.25s ease 0s 1 normal none running fade-in; margin-bottom: 2px !important; margin-top: 2px !important; margin-left: 0px; padding-top: 2px; padding-bottom: 2px; list-style-type: disc;">FDB, ARP/neighbor tables, routes: correct on all nodes</li></ul><ul style="animation: 0.25s ease 0s 1 normal none running fade-in; margin: 0px 0px 0px 16px; padding: 0px;"><li data-indent="0" style="animation: 0.25s ease 0s 1 normal none running fade-in; margin-bottom: 2px !important; margin-top: 2px !important; margin-left: 0px; padding-top: 2px; padding-bottom: 2px; list-style-type: disc;">rp_filter: loose mode (2)</li></ul><ul style="animation: 0.25s ease 0s 1 normal none running fade-in; margin: 0px 0px 0px 16px; padding: 0px;"><li data-indent="0" style="animation: 0.25s ease 0s 1 normal none running fade-in; margin-bottom: 2px !important; margin-top: 2px !important; margin-left: 0px; padding-top: 2px; padding-bottom: 2px; list-style-type: disc;">UDP 8472 listening on all nodes</li></ul><ul style="animation: 0.25s ease 0s 1 normal none running fade-in; margin: 0px 0px 0px 16px; padding: 0px;"><li data-indent="0" style="animation: 0.25s ease 0s 1 normal none running fade-in; margin-bottom: 2px !important; margin-top: 2px !important; margin-left: 0px; padding-top: 2px; padding-bottom: 2px; list-style-type: disc;">ICMP at MTU 1450 between nodes: 0% loss</li></ul><ul style="animation: 0.25s ease 0s 1 normal none running fade-in; margin: 0px 0px 0px 16px; padding: 0px;"><li data-indent="0" style="animation: 0.25s ease 0s 1 normal none running fade-in; margin-bottom: 2px !important; margin-top: 2px !important; margin-left: 0px; padding-top: 2px; padding-bottom: 2px; list-style-type: disc;">Generic UDP (socat) between nodes: works bidirectionally</li></ul></section><section id="markdown-section-52fe5c5e-9618-46d4-ba59-db9cd81cc895-30" class="markdown-section chat-fade-in" data-markdown-raw="
Simultaneous tcpdump on sender and receiver showed VXLAN replies leave the sender's NIC but never arrive at the receiver's NIC. To isolate, we sent crafted packets from the same source to the same destination on UDP 8472:" data-section-index="30" style="border-radius: 4px; line-height: 19.5px; margin: 6px 0px; position: relative; scroll-margin-bottom: 40px; scroll-margin-top: 40px; color: rgb(218, 218, 218); font-family: &quot;Segoe WPC&quot;, &quot;Segoe UI&quot;, sans-serif; font-size: 13px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: rgb(37, 37, 38); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">Simultaneous tcpdump on sender and receiver showed VXLAN replies leave the sender's NIC but never arrive at the receiver's NIC. To isolate, we sent crafted packets from the same source to the same destination on UDP 8472:</section><div class="monaco-scrollable-element markdown-table-container" role="presentation" style="scrollbar-width: none; overflow: hidden; color: rgb(218, 218, 218); font-family: &quot;Segoe WPC&quot;, &quot;Segoe UI&quot;, sans-serif; font-size: 13px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: rgb(37, 37, 38); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; position: relative; margin: 1em 0px; width: fit-content; max-width: 100%; border-color: color(srgb 0.8 0.8 0.8 / 0.08); border-style: solid; border-width: 1px; border-image: none 100% / 1 / 0 stretch; border-radius: 6px;"><div class="markdown-table-wrapper" style="--fade-start: rgba(0,0,0,.25); --fade-end: #000; --markdown-table-fade-width: 10px; mask-image: none; overflow: hidden;">
Payload | Arrived?
-- | --
Random bytes (not valid VXLAN) | Yes
Valid VXLAN header, VNI=1 | No
Valid VXLAN header, VNI=999 | No
Valid VXLAN header, VNI=4096 | No

</div><div role="presentation" aria-hidden="true" class="invisible scrollbar horizontal" style="opacity: 0; pointer-events: none; position: absolute; width: 275px; height: 10px; left: 0px; bottom: 0px;"><div class="slider" style="background: none 0% 0% / auto repeat scroll padding-box border-box rgba(121, 121, 121, 0.4); position: absolute; top: 0px; left: 0px; height: 10px; transform: translate3d(0px, 0px, 0px); contain: strict; width: 275px;"></div></div><div role="presentation" aria-hidden="true" class="invisible scrollbar vertical" style="opacity: 0; pointer-events: none; position: absolute; width: 0px; height: 152px; right: 0px; top: 0px;"><div class="slider" style="background: none 0% 0% / auto repeat scroll padding-box border-box rgba(121, 121, 121, 0.4); position: absolute; top: 0px; left: 0px; width: 10px; transform: translate3d(0px, 0px, 0px); contain: strict; height: 152px;"></div></div></div><section id="markdown-section-52fe5c5e-9618-46d4-ba59-db9cd81cc895-33" class="markdown-section chat-fade-in" data-markdown-raw="
**Root Cause:**" data-section-index="33" style="border-radius: 4px; line-height: 19.5px; margin: 6px 0px; position: relative; scroll-margin-bottom: 40px; scroll-margin-top: 40px; color: rgb(218, 218, 218); font-family: &quot;Segoe WPC&quot;, &quot;Segoe UI&quot;, sans-serif; font-size: 13px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: rgb(37, 37, 38); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">Root Cause:</section><section id="markdown-section-52fe5c5e-9618-46d4-ba59-db9cd81cc895-35" class="markdown-section chat-fade-in" data-markdown-raw="
The VMware/NSX hypervisor performs deep packet inspection on UDP 8472 and intercepts any packet containing a valid VXLAN header structure, regardless of VNI. NSX uses VXLAN for its own overlay networking, and the vSwitch VTEP consumes guest-generated VXLAN traffic before it reaches the physical network." data-section-index="35" style="border-radius: 4px; line-height: 19.5px; margin: 6px 0px; position: relative; scroll-margin-bottom: 40px; scroll-margin-top: 40px; color: rgb(218, 218, 218); font-family: &quot;Segoe WPC&quot;, &quot;Segoe UI&quot;, sans-serif; font-size: 13px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: rgb(37, 37, 38); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">The VMware/NSX hypervisor performs deep packet inspection on UDP 8472 and intercepts any packet containing a valid VXLAN header structure, regardless of VNI. NSX uses VXLAN for its own overlay networking, and the vSwitch VTEP consumes guest-generated VXLAN traffic before it reaches the physical network.</section><section id="markdown-section-52fe5c5e-9618-46d4-ba59-db9cd81cc895-37" class="markdown-section chat-fade-in" data-markdown-raw="
The issue is asymmetric across subnets -- likely depending on which ESXi host and vSwitch configuration each VM lands on." data-section-index="37" style="border-radius: 4px; line-height: 19.5px; margin: 6px 0px; position: relative; scroll-margin-bottom: 40px; scroll-margin-top: 40px; color: rgb(218, 218, 218); font-family: &quot;Segoe WPC&quot;, &quot;Segoe UI&quot;, sans-serif; font-size: 13px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: rgb(37, 37, 38); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">The issue is asymmetric across subnets -- likely depending on which ESXi host and vSwitch configuration each VM lands on.</section><section id="markdown-section-52fe5c5e-9618-46d4-ba59-db9cd81cc895-39" class="markdown-section chat-fade-in" data-markdown-raw="
**Workarounds to evaluate:**
1. Change Flannel's VXLAN backend port to a non-standard value (e.g. 4790)
2. Disable VXLAN offloading/interception on the VM portgroups at the vSphere level
3. Switch overlay to WireGuard or IPsec (avoids VXLAN entirely)
4. Switch to Geneve (UDP 6081) -- unclear if NSX also intercepts this" data-section-index="39" style="border-radius: 4px; line-height: 19.5px; margin: 6px 0px; position: relative; scroll-margin-bottom: 40px; scroll-margin-top: 40px; color: rgb(218, 218, 218); font-family: &quot;Segoe WPC&quot;, &quot;Segoe UI&quot;, sans-serif; font-size: 13px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: rgb(37, 37, 38); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">Workarounds to evaluate:<ol style="animation: 0.25s ease 0s 1 normal none running fade-in; margin: 0px 0px 0px 16px; padding: 0px;"><li data-indent="0" value="1" style="animation: 0.25s ease 0s 1 normal none running fade-in; margin-bottom: 2px !important; margin-top: 2px !important; margin-left: 0px; padding-top: 2px; padding-bottom: 2px; list-style-type: decimal;">Change Flannel's VXLAN backend port to a non-standard value (e.g. 4790)</li></ol><ol style="animation: 0.25s ease 0s 1 normal none running fade-in; margin: 0px 0px 0px 16px; padding: 0px;"><li data-indent="0" value="2" style="animation: 0.25s ease 0s 1 normal none running fade-in; margin-bottom: 2px !important; margin-top: 2px !important; margin-left: 0px; padding-top: 2px; padding-bottom: 2px; list-style-type: decimal;">Disable VXLAN offloading/interception on the VM portgroups at the vSphere level</li></ol><ol style="animation: 0.25s ease 0s 1 normal none running fade-in; margin: 0px 0px 0px 16px; padding: 0px;"><li data-indent="0" value="3" style="animation: 0.25s ease 0s 1 normal none running fade-in; margin-bottom: 2px !important; margin-top: 2px !important; margin-left: 0px; padding-top: 2px; padding-bottom: 2px; list-style-type: decimal;">Switch overlay to WireGuard or IPsec (avoids VXLAN entirely)</li></ol><ol style="animation: 0.25s ease 0s 1 normal none running fade-in; margin: 0px 0px 0px 16px; padding: 0px;"><li data-indent="0" value="4" style="animation: 0.25s ease 0s 1 normal none running fade-in; margin-bottom: 2px !important; margin-top: 2px !important; margin-left: 0px; padding-top: 2px; padding-bottom: 2px; list-style-type: decimal;">Switch to Geneve (UDP 6081) -- unclear if NSX also intercepts this</li></ol></section>
</body>
</html>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

VXLAN overlay broken on VMware/NSX: hypervisor silently drops valid VXLAN packets on UDP 8472 #2388

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

VXLAN overlay broken on VMware/NSX: hypervisor silently drops valid VXLAN packets on UDP 8472 #2388

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions