Troubleshoot VMware NSX Edge Services Issues

By | 19/06/2018

In this post I will cover following topics of Objective 7.3 of VCAP6-NV Deploy exam.

  • Troubleshoot VPN service issues
  • Troubleshoot DHCP/DNS/NAT service issues
  • Troubleshoot Logical Load Balancer implementation issues
  • Download Technical Support logs from NSX Edge instances

Lets get started.

                                     Troubleshoot VPN service issues

There are 3 types of VPN which you can configure on NSX edges:

  • SSL-VPN Plus
  • IPSec VPN
  • L2 VPN

Lets start with troubleshooting IPSec VPN.

To troubleshoot any VPN issues, you should have knowledge of how to configure a VPN service so that you can verify that issue is not because of a mis-configured settings. To review the implementation and configuration of the IPSec VPN service refer to article

To run troubleshooting commands on the ESG where IPSec VPN service is configured, connect to the edge via SSH.

To view full list of commands for ipsec, run command: show service ipsec ? 


Check IPSec VPN service status: show service ipsec


To see IPSec configuration  run command: show config ipsec


Additionally you can configure the ESG (where IPSec is configured) to forward logs to a centralized syslog server.


Once syslog server is configured on ESG, you will find following log files forwarded to the syslog server.

You can use tail or cat command to read these log files to debug and troubleshoot issues.


Also when troubleshooting IPSec issues, you can temporarily set the log level for IPSec VPN to debug to capture more details.


Troubleshooting SSL-VPN Plus issues

Connect to the NSX edge where SSL-VPN Plus is configured and run following commands to debug and troubleshoot issues.

To see full list of command: show service sslvpn-plus ?


Check the SSL VPN service status: show service sslvpn-plus


Check SSL VPN statistics: show service sslvpn-plus stats


To see the SSL VPN config: show config sslvpn-plus

I have included only a part of my ssl-vpn config


Check if SSL VPN clients are connected: show service sslvpn-plus tunnels

Check SSL VPN sessions: show service sslvpn-plus sessions

Also you can set the logging level at Edge where ssl-vpn plus is configured to gather more info from logs. The highest level details are included when logging level is set to ‘debug’.

You can change from default logging level ‘info’ to debug


Logs for remote windows clients trying to connect to the SSL VPN service are located on the folder %username%\AppData/Local\VMware\vpn. You will find a log file by name svp_client



                                              Troubleshoot DHCP service issues

To effectively troubleshoot DHCP issues, make sure to set logging level to debug for the dhcp service. 


SSH to the edge gateway where DHCP is configured and run following commands to debug and troubleshoot issues.

View full list of dhcp commands: show service dhcp ?


Check DHCP service status: show service dhcp


Check DHCP lease info: show service dhcp leaseinfo


Check DHCP configuration: show config dhcp


If you have made any changes to DHCP pool post initial configuration, don’t forget to restart dhcp services on client machines. 

                                              Troubleshoot DNS Service Issues

To effectively troubleshoot DNS issues, make sure to change logging level for DNS service to debug so as to collect maximum details from the logs.

To change the logging level, select the edge where DNS is configured and navigate to Manage > Settings > Configuration > DNS Configuration and click on change. 


Set Log level to ‘debug’ and hit OK.


Connect to the ESG via SSH and run following commands

Check DNS service status: show service dns


Check DNS config: show config dns


Once you have verified that configuration is correct and yet DNS is not working as expected, you can run command show log and look for any entries related to DNS.

If you have made any changes to DNS and those changes has not been updated to DNS cache and as a result of that, DNS resolution is returning incorrect values, then you can delete the old dns cache by running command: clear service dns cache

                        Troubleshoot Load Balancer Implementation Issues

To review installation/configuration steps for load balancer, please read this article

I found a very helpful flowchart on VMware website which is very handy during troubleshooting load balancer issues.

LB-Troubleshooting Flowchart.png

Additionally you can login to ESG (via SSH or console) where LB is configured and can run following commands:

List all load balancer commands: show service loadbalancer ?


Check load balancer service state: show service loadbalancer


Check load balancer configuration: show config loadbalancer


Check health status of members of LB pool: show service loadbalancer pool


You can also check for errors by running command:  show service loadbalancer error

                      Download Technical Support logs from NSX Edge instances

Edge gateway logs are very helpful when debugging and troubleshooting any Edge service related issues. Also if you have filed a support case with VMware, the GSS team asks for logs from edge gateway.

To pull log from a edge gateway, select the Edge from the list of ‘NSX Edges’ and from Actions tab, click on “Download Tech Support Logs”


Click on Download button once the log bundle generation is completed.


And that’s it for this post.

I hope you find this post informational. Feel free to share this on social media if it is worth sharing. Be sociable 🙂

Category: NSX