PF reason codes in NSX for vSphere 6.x
Article ID: 301324
Updated On:
Products
VMware vDefend Firewall
Issue/Introduction
This article provides information listing PF reason codes in NSX for vSphere 6.x.
Environment
VMware NSX for vSphere 6.2.x
VMware NSX for vSphere 6.4.x
VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.4.x
VMware NSX for vSphere 6.3.x
Resolution
Distributed Firewall (DFW) tracks both the state transition of the TCP flow in both directions based upon TCP flags (SYN/ACK/FIN/RST) and the sliding sequence number window (low and high) based upon current sequence number, ack number from the peer, and the window size including the window scaling value.
DFW also does the sanity check on IP/TCP/UDP headers to ensure that the headers are valid.
DFW also deals with fragmented packets and ensures that all the fragments for a packet id are received and can be reconstructed. There is also a maximum number of pending fragment buffers to protect against a fragment attack.
DFW maintains stats for the following Drop Packet Reason Codes. The explanation of these codes and the various reasons are given here
New basic output format is shown here.
Note: pass and drop counts are always displayed. The other counters are displayed if they contain non-zero values.
For example:
/root:12 > vsipioctl getfilterstat -f nic-1023172-eth0-vmware-sfw.2
DFW also does the sanity check on IP/TCP/UDP headers to ensure that the headers are valid.
DFW also deals with fragmented packets and ensures that all the fragments for a packet id are received and can be reconstructed. There is also a maximum number of pending fragment buffers to protect against a fragment attack.
DFW maintains stats for the following Drop Packet Reason Codes. The explanation of these codes and the various reasons are given here
New basic output format is shown here.
Note: pass and drop counts are always displayed. The other counters are displayed if they contain non-zero values.
For example:
/root:12 > vsipioctl getfilterstat -f nic-1023172-eth0-vmware-sfw.2
- Match: If a packet hits a Drop or a Reject Rule.
- State-mismatch: Caused due to detection of invalid state (TCP Flags) or TCP sequence or ack number in the packet.
Typical causes are:
- The current payloads next sequence number (current sequence number + length of tcp payload) may exceed the acceptable maximum window sequence number.
- The current payloads starting sequence number may be less than the acceptable minimum window sequence number.
- The current payloads ack number may be less or greater than the acceptable minimum window acknowledgement number.
- If TCP Strict flag is enabled, of the first packet is not a SYN packet.
- If processing an ALG packet, FTP/TFTP/ORACLE/MS-RPC/DCE-RPC, an error is encountered.
- Memory: Caused by failure to allocate memory for one of many data structures/buffers.
Typical causes are:
- Maximum number of supported states in the Host exceeded.
- Maximum number of fragment buffers per filter exceed.
- Under memory stress conditions, one of many allocation failure during packet processing.
- State Insertion: Caused by failure to insert the state in the Flow Table.
The following can happen principally because of:
- Memory constraints.
- Duplicate Session (Rarely).
- Fragment: Due to fragment handling.
Caused by:
- Invalid Fragment offset.
- Fragment reassembly timer expiring.
- ICMP error messages don't refer to non-first fragments in the inner packet.
- Short Packet: IP or Transport header length being short of minimum.
- Spoofguard: Caused by Spoofguard implementation.
Caused by:
- Invalid ARP packet mac value.
- Invalid ARP packet ip value.
- Invalid mac address.
- Invalid IP Address.
- Normalization: Invalid IP or Transport header.
Caused by:
- Invalid IP Version.
- Invalid Packet length.
- Invalid Header Length.
- IP Options: If a packet matches a rule which does not allow IP Options.
Feedback
Yes
No
Powered by
