Another day in the lab. After several hours standing up my first Domain Controller in a fresh Windows Server 2025 VM on Nutanix AHV, I ran into a networking problem I didn’t expect to spend the rest of my afternoon on.
During the initial install, loading the VirtIO SCSI drivers off the Nutanix VirtIO ISO was expected. After the install, I noticed the NIC wasn’t working either. Also expected. What I should have done at that point was install Nutanix Guest Tools (NGT), Nutanix’s equivalent of VMware Tools, and moved on.
Instead, I had trouble getting NGT to mount in the moment, and in a lapse of patience, I manually installed the VirtIO Ethernet driver straight from the ISO. I configured the adapter with a static IP, subnet, and gateway, then ran a quick ping to the gateway. Destination host unreachable.
What followed
The usual rabbit hole. Windows Firewall. Switch trunking. VLAN mismatches. I SSH’d into everything I could reach and verified configs against my network docs, over and over. Nothing was wrong. Everything looked right on paper.
I eventually started looking at this differently. The VirtIO Ethernet driver is designed for KVM and QEMU environments, virtual routers and the like. It comes with VLAN tagging enabled by default at the OS level. That’s not a problem in most environments, but Nutanix runs Open vSwitch (OVS) under the hood, and OVS has opinions about where VLAN tags come from.
When you attach a NIC to a VM in AHV, you assign it to a VLAN and OVS applies that tag as traffic exits the VM. If packets arrive at OVS already tagged, it can’t match them to a rule. It just drops them. My VM was sending VLAN-tagged frames out, OVS was seeing double-tagged traffic, and the whole thing was getting silently discarded before it ever reached the wire.
I confirmed it by SSH’ing into the AHV host and running an OVS trace while pinging the gateway. Packets were leaving the VM and getting dropped immediately, and the reason was right there in the output.
What NGT actually does
This is the part I didn’t know. When NGT installs the VirtIO Ethernet driver, it also disables VLAN tagging in the adapter’s advanced properties. That’s not incidental. It’s specifically because AHV handles VLAN tagging at the hypervisor level, and leaving it enabled in the guest breaks things.
The fix, once I understood the problem, took about thirty seconds. Device Manager → Nutanix VirtIO Ethernet Adapter → Properties → Advanced → VLAN set to Disabled. Traffic came up immediately.
What to watch for
- VM gets a DHCP lease and inbound traffic works fine
- TX is always zero, outbound traffic goes nowhere
- VM MAC never appears in
show mac address-table - ARP never resolves from the VM’s side
- Physical devices on the same VLAN work without issue
- VirtIO Ethernet driver was installed manually, not via NGT
The direct fix: Device Manager → Nutanix VirtIO Ethernet Adapter → Properties → Advanced → set VLAN to Disabled. If you’re building a template, install NGT before Sysprep so every clone gets the correct driver configuration automatically.
The good news is I learned quite a bit about the Nutanix networking stack and picked up a few grep tricks along the way. The bad news is I still haven’t promoted the DC.
Maybe tomorrow.
This came up during the build-out of Mad Miller Labs, a home lab enterprise merger simulation running Nutanix CE 6.8.1 on a Dell PowerEdge R640. More posts from the build as the lab grows.