PF reason codes in NSX for vSphere 6.x
search cancel

PF reason codes in NSX for vSphere 6.x

book

Article ID: 301324

calendar_today

Updated On:

Products

VMware NSX Networking

Issue/Introduction

This article provides information listing PF reason codes in NSX for vSphere 6.x.

Environment

VMware NSX for vSphere 6.2.x
VMware NSX for vSphere 6.4.x
VMware NSX for vSphere 6.3.x

Resolution

Distributed Firewall (DFW) tracks both the state transition of the TCP flow in both directions based upon TCP flags (SYN/ACK/FIN/RST) and the sliding sequence number window (low and high) based upon current sequence number, ack number from the peer, and the window size including the window scaling value.

DFW also does the sanity check on IP/TCP/UDP headers to ensure that the headers are valid.

DFW also deals with fragmented packets and ensures that all the fragments for a packet id are received and can be reconstructed. There is also a maximum number of pending fragment buffers to protect against a fragment attack.

DFW maintains stats for the following Drop Packet Reason Codes. The explanation of these codes and the various reasons are given here

New basic output format is shown here.

Note: pass and drop counts are always displayed. The other counters are displayed if they contain non-zero values.

For example:

/root:12 > vsipioctl getfilterstat -f nic-1023172-eth0-vmware-sfw.2


 
  • Match: If a packet hits a Drop or a Reject Rule.
  • State-mismatch: Caused due to detection of invalid state (TCP Flags) or TCP sequence or ack number in the packet.
Typical causes are:
  • The current payloads next sequence number (current sequence number + length of tcp payload) may exceed the acceptable maximum window sequence number.
  • The current payloads starting sequence number may be less than the acceptable minimum window sequence number.
  • The current payloads ack number may be less or greater than the acceptable minimum window acknowledgement number.
  • If TCP Strict flag is enabled, of the first packet is not a SYN packet.
  • If processing an ALG packet, FTP/TFTP/ORACLE/MS-RPC/DCE-RPC, an error is encountered.
  • Memory: Caused by failure to allocate memory for one of many data structures/buffers.
Typical causes are:
  • Maximum number of supported states in the Host exceeded.
  • Maximum number of fragment buffers per filter exceed.
  • Under memory stress conditions, one of many allocation failure during packet processing.
  • State Insertion: Caused by failure to insert the state in the Flow Table.
The following can happen principally because of:
  • Memory constraints.
  • Duplicate Session (Rarely).
  • Fragment: Due to fragment handling.
Caused by:
  • Invalid Fragment offset.
  • Fragment reassembly timer expiring.
  • ICMP error messages don't refer to non-first fragments in the inner packet.
  • Short Packet: IP or Transport header length being short of minimum.
  • Spoofguard: Caused by Spoofguard implementation.
Caused by:
  • Invalid ARP packet mac value.
  • Invalid ARP packet ip value.
  • Invalid mac address.
  • Invalid IP Address.
  • Normalization: Invalid IP or Transport header.
Caused by:
  • Invalid IP Version.
  • Invalid Packet length.
  • Invalid Header Length.
  • IP Options: If a packet matches a rule which does not allow IP Options.


Additional Information

简体中文:NSX for vSphere 6.x 中的 PF 原因代码