This article provides information listing PF reason codes in NSX-T Data Center
VMware NSX-T Data Center 3.x
VMware NSX-T Data Center 4.x
Field | Meaning |
---|---|
mac | The MAC address of the vNIC (virtual NIC) to which this DFW filter is attached. |
FW algorithm | The internal filter-pipeline version in use (e.g. “FP2” = Filter Path v2 engine). |
sessions | Number of application-helper (ALG) or connection-tracking sessions currently held in the session table. |
flags | A hex bitmask of enabled filter features or modes (e.g. strict TCP state, normalization, fragment handling, etc.). |
states | Count of active state-tracking entries (bidirectional TCP/UDP flow states) in the state table. |
rules | How many firewall rules have been loaded into this filter instance from your DFW policy. |
table count | Number of lookup tables or pipeline stages the engine uses (for example, one for L2, one for L3/L4). |
filter version | Internal build/release number of the dvfilter binary module that’s running on this host. |
ruleset gen | Generation number of the currently loaded ruleset configuration—this increments every time you push a new policy. |
hash | Integrity checksum or hash of the loaded filter code and/or ruleset, used to detect mismatches or reloads. |
last purge | Timestamp (in seconds since the filter or host boot) when the last cleanup cycle ran to remove expired state/fragment entries. |
Typical causes are:
- The current payloads next sequence number (current sequence number + length of tcp payload) may exceed the acceptable maximum window sequence number.
- The current payloads starting sequence number may be less than the acceptable minimum window sequence number.
- The current payloads ack number may be less or greater than the acceptable minimum window acknowledgement number.
- If TCP Strict flag is enabled, of the first packet is not a SYN packet.
- If processing an ALG packet, FTP/TFTP/ORACLE/MS-RPC/DCE-RPC, an error is encountered.
Typical causes are:
- Maximum number of supported states in the Host exceeded.
- Maximum number of fragment buffers per filter exceed.
- Under memory stress conditions, one of many allocation failure during packet processing.
The following can happen principally because of:
- Memory constraints.
- Duplicate Session (Rarely).
Caused by:
- Invalid Fragment offset.
- Fragment reassembly timer expiring.
- ICMP error messages don't refer to non-first fragments in the inner packet.
Caused by:
- Invalid ARP packet mac value.
- Invalid ARP packet ip value.
- Invalid mac address.
- Invalid IP Address.
Caused by:
- Invalid IP Version.
- Invalid Packet length.
- Invalid Header Length.