Same MAC on multiple bridge ports

[raw_packets]

Hi, I have a strange issue on my Proxmox deployment regarding VM MAC address that appears on 2 interfaces. This is a 3 node cluster, PVE version 8.3.5 inside VMware virtualization (nested) that has security settings on VMware vswitch set up properly to allow communication from inside Proxmox environment (works for other stuff that needs it so it should work for this as well). There are 2 VMware ethernet interfaces in 2 VLANs of which 1 is in one bridge and is used for management and other one is in other bridge and used for VM traffic.

The problem I'm having is that VMs can't communicate outside or between them for that matter because of what seems to be MAC address of VM learned on bridge through 2 interfaces, specifically ethernet interface on a bridge (VMWare vmxnet) and tap<vmid> interface on a bridge. As far as I'm aware, that should not be happening yet here we are. Can anyone tell me why is this happening and what could I do to fix it since I can't find any relevant logs that would explain why would this happen in first place?

This is bridge FDB:


This is MAC learned on 2 ports:


- vmbr1 is VM traffic bridge
- "da:57:37:35:0f:b0" is MAC address of one of VMs (as an example)
- ens256 is VMWare (vmxnet) interface
- tap101i0 is VM tap interface

 

[raw_packets]

Can anyone help me with this?

 

[kjanas]

Hi there!
We had a similar issue on our side: https://forum.proxmox.com/threads/n...ter-proxmox-node-restart-ovs-mtu-8900.163825/

You need to set arp_ignore=2 in sysctl.

 

[raw_packets]

Unfortunately, it did not work.

To expand a bit upon this. When I do tcpdump, I see no traffic on tap interface whilst ping is active either on VM or some machine outside Proxmox trying to ping VM. There is traffic on bridge interface and there is traffic on physical interface but no other traffic matching VM MAC address aside from ARP who-has traffic which VM is sending towards any IP I try to ping from it.

 

[raw_packets]

Anyone got some more insights in this? Any ideas what might be going on?

 

[fweber]

The problem I'm having is that VMs can't communicate outside or between them for that matter because of what seems to be MAC address of VM learned on bridge through 2 interfaces, specifically ethernet interface on a bridge (VMWare vmxnet) and tap<vmid> interface on a bridge. As far as I'm aware, that should not be happening yet here we are. Can anyone tell me why is this happening and what could I do to fix it since I can't find any relevant logs that would explain why would this happen in first place?

Hi, there is an older post [1] describing a seemingly similar issue, but in conjunction with Virtual Distributed Switch, not sure if this is applicable in your case.

However, similarly to [1] it may be the case that something outside your PVE node echoes back the ARP reply sent by the VM which causes the bridge on the PVE node to incorrectly learn that the VM's MAC address is located behind the physical port enp256. For troubleshooting you could try running tcpdump -envi any arp (which prints interfaces too) while trying to ping -- after the ARP reply is sent out via the physical interface, you could check whether you see an ARP reply coming back into the physical interface from outside. If this is the case, the next step would be to find out who echoes back the ARP replies, possibly by running tcpdumps on your switch(es)/other devices.

[1] https://forum.proxmox.com/threads/v...d-arp-replies-over-bridge.106429/#post-460860

 

[fweber]

Hi, another idea: Does the vSwitch have multiple uplinks configured? If yes, could you temporarily try with just one uplink? Are these uplinks connected to the same switch?