Communication over HNV Gateway fails intermittently if SkipAsSource not set

Applies to: Windows Server 2012 R2 DatacenterWindows Server 2012 R2 Standard

Symptoms


Windows Server 2012 R2 Hyper-V Network Virtualization Gateway (HNV GW), configured as an active-passive guest cluster on an active-active Hyper-V host cluster. The HNV GW is configured using System Center Virtual Machine Manager 2012 R2 (SCVMM 2012R2). 

In this Scenario,connections from an on-premises computer to a virtual machine (tenant VM) behind a HNV GW, or vice versa, fails intermittently. Not all connections may be affected, especially connections consisting of only small packets might work.

This may happen if the HNV GW is located on Hyper-V host cluster node 1, or on node 2 only, or on both nodes.

Cause


The MTU of the VPN connection between the HNV GW and the on-premises VPN GW is smaller than the MTU of the two communicating machines. In case IP packets with the 'don't fragment' bit set are received by the HNV GW it cannot forward these over the VPN link but needs to inform the sending machine, the tenant VM, to reduce the packet size.  

Therefore the HNV GW sends an ICMP packet (Type: 3 (Destination unreachable), Code: 4 (Fragmentation needed)) to the tenant VM. 

This ICMP packet may be dropped by HNV on the Hyper-V host cluster node because it is sent with an source IP address that is not eligible to communicate with a tenant VM in the customer address space. The source address is the CA DIP (Customer Address space Dedicated IP), which is automatically configured by SCVMM. The default address range is 10.254.254.0/24.

Resolution


The SkipAsSource flag Needs to be enabled on the CA DIP, so that this IP address is no longer chosen as source IP.

Configure the HNV GW new using System Center Virtual Machine Manager 2012 R2 Update Rollup 2 (SCVMM 2012R2 UR2). UR2 contains an update that creates the CA DIP Adapter with the SkipAsSource flag set.

As a manual workaround you can configure the SkipAsSource flag on the CA DIP using this command:

Set-NetIPAddress –InterfaceIndex xy -IPAddress 10.254.254.z –SkipAsSource True –IncludeAllCompartments

More Information


The easiest way to find Interface Index for the Set-NetIPAddress command is to runIpconfig /allcompartmentsand then lookup the interface ID in the Link-Local IPv6 address of the corresponding IP in the correct compartment.

==============================================================================
Network Information for Compartment xy
==============================================================================

  Ethernet adapter WNVAdap_10486213:     

Connection-specific DNS Suffix  . :    
Link-local IPv6 Address . . . . . : fe80::15d5:d537:4bb9:1fff%xy   
IPv4 Address. . . . . . . . . . . : 10.254.254.z   
Subnet Mask . . . . . . . . . . . : 255.255.255.248