VCAP6-NV (3V0-643) Study Guide – Part 21. Troubleshoot VMware NSX Edge Services Issues .

Clinton Prentice on November 19, 2016

This is part 21 of 22 blogs I am writing covering the exam prep guide for the VMware Certified Advanced Professional 6 – Network Virtualisation Deployment (3V0-643)  VCAP6-NV certification.

At the time of writing there is no VCAP Design exam stream, thus you’re automatically granted the new VMware Certified Implementation Expert 6 – Network Virtualisation (VCIX6-NV) certification by successfully passing the VCAP6-NV Deploy exam.

For previous blogs in this series please refer to the VCAP6-NV Reference Guide I created. This has all the links to VMware NSX content and lists out each exam objective and the associated blog. Check it out here –>Exam Objective Reference Guide.

This blogs covers:

Section 7 – Perform Advanced VMware NSX Troubleshooting
Objective 7.3 – Troubleshoot VMware NSX Edge Services Issues

  • Troubleshoot VPN service issues
  • Troubleshoot DHCP/DNS/NAT service issues
  • Troubleshoot Logical Load Balancer implementation issues
  • Download Technical Support logs from NSX Edge instances

 

Any VCAP exam objective that talks about troubleshooting I feel is not worth putting too much time writing a blog about. You are better off spending time configuring and breaking NSX and the various components and learning from your mistakes.

What I will try to do in this blog is refer you back to previous blog posts that cover the deployment or configuration of a specific NSX feature, any VMware troubleshooting knowledge base articles (if available) and any troubleshooting you can do via the command line.

Everything in this section refers to services provided by the Edge Services Gateway.

A handy tip! All the CLI show commands for troubleshooting services start with show service followed by the service name e.g. show service sslvpn-plus

Also do not forget from the Edge command line you can run show log, or show log follow or show log reverse.

Before I start, if you need to change the CLI login details to an Edge Services Gateway (ESG) or enable SSH you can do this by selecting the ESG and hitting ‘change CLI credentials’ as shown below.

cli.JPG

capture

Troubleshoot VPN service issues

SSL VPN-Plus Service

To review the implementation and configuration of the SSL VPN-Plus service refer to blog post 9B. Make sure everything is configured as it should be!

VMware has a good troubleshooting KB article for SSL VPN-Plus service..

You can run some troubleshooting commands from the command line of the Edge Services Gateway (ESG) that is hosting the SSL VPN-Plus service. SSH or open the console of the ESG.

The full command list available: show service sslvpn-plus ?

full

To check the SSL VPN service status: show service sslvpn-plus

run

To check SSL VPN statistics: show service sslvpn-plus stats

stats

To check if SSL VPN clients are connected: show service sslvpn-plus tunnels

tun

To check SSL VPN sessions: show service sslvpn-plus sessions

sesh.JPG

To see the full SSL VPN config via the CLI type: show config sslvpn-plus

(screen shot only shows part of the config)

config.JPG

 

To look at the log files of the NSX SSL VPN-Plus service you must have syslog configured on the Edge hosting the SSL VPN service.

log

Make sure you enable logging for the SSL-VPN service if you are troubleshooting.

ssl.JPG

VMware documentation states the logs for remote clients trying to connect to the SSL VPN service are located on the remote client at: %PROGRAMFILES%/VMWARE/SSL VPN Client/

I don’t know if the log location above is an error because on two computers I tried finding the logs and on both they were under the user’s profile in  %username%\AppData/Local\VMware\vpn

log11

cline

IPSec VPN Service

To review the implementation and configuration of the IPSec VPN service refer to blog post 9A. Make sure everything is configured as it should be!

VMware has a good troubleshooting KB article for IPSec VPN service.

You can run some troubleshooting commands from the command line of the Edge Services Gateway (ESG) that is hosting the IPSec VPN service. SSH or open the console of the ESG.

The full command list available: show service ipsec ?

show-all

To check the IPSec VPN service status: show service ipsec

ipsec

In the above screenshot you can see one side of the IPSec VPN is down.

To see the full IPSec config via the CLI type: show config ipsec

(screen shot only shows part of the config)

ipsec con.JPG

To look at the log files of the NSX IPSec service you must have syslog configured on the Edge hosting the IPSec service.

log

If you are troubleshooting make sure you enable logging and change the logging level.

level.JPG

L2VPN Service

To review the implementation and configuration of the L2VPN service refer to blog post 9C. Make sure everything is configured as it should be!

Could not find a VMware KB article on troubleshooting.

Some of the command line stuff as follows:

The full command list available: show service l2vpn ?

l2.JPG

To see the L2VPN service config from the command line: show config l2vpn

Troubleshoot DHCP service issues

To review the implementation and configuration of the DHCP service refer to blog post 10.

If you are troubleshooting make sure you have enabled logging and changed the mode to debug or error etc. This sends the logs to the syslog server.

debug.JPG

You must restart the DHCP service on client virtual machines in the following situations:

  • You changed or deleted a DHCP pool, default gateway, or DNS server.
  • You changed the internal IP address of the NSX Edge instance

To check the DHCP Service from the command line: show service dhcp

dhcp

To see any DHCP leases from the command line: show service dhcp leaseinfo

lease.JPG

To see the DHCP service config from the command line: show config l2vpn

confggg.JPG

Troubleshoot DNS service issues

To review the implementation and configuration of the DNS service refer to blog post 10.

On the Edge Services Gateway (ESG) the DNS service is for external upstream DNS servers that the ESG can relay requests for clients.

If you are troubleshooting make sure you have enabled logging and change the logging level, this sends the logs to the configured syslog server.

dns.JPG

To see the DNS service status: show service dns

dns2

To see the DNS service cache: show service dns cache

Troubleshoot NAT service issues

To review the implementation and configuration of the NAT service refer to blog post 10.

If you are troubleshooting you can enable logging on a per NAT rule basis as shown below. This will push the NAT log to the syslog configured on the ESG.

sys

To see the NAT config from the command line: show config nat

Partial output shown below.

nat1.JPG

You can see the NAT rules by: show nat

I think this is easier to view in the GUI.

shownat.JPG

A show log follow might be useful while troubleshooting NAT services.

Troubleshoot Logical Load Balancer implementation issues

To review the implementation and configuration of the Load Balancer service refer to blog post 8.

VMware have a troubleshooting KB article for NSX Load Balancing.

To check the Load Balancer service: show service loadbalancer

lb.JPG

To see the Load Balancer config from the command line: show config loadbalancer

Partial output shown below.

lb2

All the available show service loadbalancer commands are below:

lb3

I do not have any load balancing services currently configured so I am not going to run through all these commands.

You can enable logging for the Load Balancer service. Change the logging level as required. The logs are sent to the syslog server the Edge is configured to.

lb4

You could also view the logs with a show log follow for example when troubleshooting.

Download Technical Support logs from NSX Edge instances

You normally download the Technical Support Logs from the Edge Services Gateway if experiencing issues. The logs are then uploaded to VMware for analysis.

Should you be running the ESG in HA mode the logs for both are downloaded at the same time.

Select the Edge Services Gateway that you wish to download the Technical Support Logs from.

Right-click and select Download Tech Support Logs.

tsl.JPG

tsl2.JPG

tsl3

Click on download and save. The files are compressed in the .gz format.

tz.JPG

And that’s it for this blog!

The next blog, #22 is the last in the series, it’s taken 9 weeks and about 130 odd hours of my personal time to blog the exam blueprint. I am looking forward to wrapping this up and then spending all my spare time for the next 3-4 weeks just deep-diving into VMware NSX before taking the exam. From New Zealand the VCAP exam experience is a killer due to the latency.

I am looking forward to researching and learning about the NSX API which is the last objective in the exam blueprint.

Objective 8.1: Administer and Execute calls using the VMware NSX vSphere API

Follow me on Twitter or LinkedIn.

Be Social; Please Share.

 

 

  2. VCAP6-NV (3V0-643) Study Guide – Part 20. Troubleshoot VMware NSX Connectivity Issues. – Virtualising Middle Earth December 2, 2016 at 11:44 am

    […] Blog 21 will cover: Objective 7.3 – Troubleshoot VMware NSX Edge Services Issues […]

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: