NSX-T DFW dvfilter is present on vNICs connected to DVS
search cancel

NSX-T DFW dvfilter is present on vNICs connected to DVS

book

Article ID: 306192

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware NSX

Issue/Introduction

Symptoms:

  • vNICs connected to DVS (non N-VDS) of VMs running on NSX-T prepared ESXi host have a DFW dvfilter applied in slot 2.

Example:

[root@esx-04a:~] summarize-dvfilter
world 436295 vmm0:UPSA-1 vcUuid:'50 08 3f 71 e3 cb 48 00-3f e1 ## ## ## ## ##'
 port 33554439 UPSA-1
  vNic slot 2
  name: nic-#####-eth1-vmware-sfw.2 <<<<<
 agentName: vmware-sfw
   state: IOChain Detached
   vmState: Detached
   failurePolicy: failClosed
   slowPathID: none
   filter source: Dynamic Filter Creation

​​​​​​Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Make sure the format is correct, clear, bullet points are used appropriately, or numbered list.

Environment

VMware NSX-T Data Center 2.x
VMware NSX-T Data Center

Cause

When the ESXi host is prepared for NSX-T, all vNICs see the DFW dvfilter applied in slot 2, regardless of the switch they are connected to. This is by design.

Resolution

This issue is resolved in NSX-T 2.5.0.

As it is not possible from a product standpoint to completely remove the NSX-T DFW dvfilter from vNICs that are not connected to an N-VDS, the default behavior of such DFW dvfilter is changed in NSX-T 2.5.0.
The DFW dvfilter will bypass traffic inspection and validation if no DFW rule is configured in it. As vNICs not connected to N-VDS do not receive any DFW rule configuration, the traffic will be untouched on such vNICs.

Workaround:
If the presence of the DFW dvfilter causes a traffic issue, as a temporary workaround, it can be manually removed from the vNIC:

  1. Get the World ID of the intended VM:

Search for the VM name in the list.
In this example, World ID = 436295

[root@esx-04a:~] esxcli vm process list
UPSA-1
   World ID: 436295
   Process ID: 0
   VMX Cartel ID: 436294
   UUID: 42 08 06 31 ac a4 62 b9-59 ## ## ## ##
   Display Name: UPSA-1
   Config File: /vmfs/volumes/5c828646-ece0268c-434d-00505601b16e/UPSA-1/UPSA-1.vmx
  1. Get the filter name for the vNIC (with the filter vmware-sfw in slot 2):

Search for the VM name and vNIC in the list.
In this example, filter = nic-######-eth1-vmware-sfw.2

[root@esx-04a:~] summarize-dvfilter
world 436295 vmm0:UPSA-1 vcUuid:'50 08 3f 71 e3 cb 48 00-3f ## ## ## ## ##'
 port 33554439 UPSA-1
  vNic slot 2
  name: nic-#######-eth1-vmware-sfw.2
 agentName: vmware-sfw
   state: IOChain Detached
   vmState: Detached
   failurePolicy: failClosed
   slowPathID: none
   filter source: Dynamic Filter Creation
  vNic slot 12
  name: nic-#####-eth1-vmware-si.12
  1. Get the vNIC UUID:

Search for the filter name found previously.
In this example, vNIC UUID = 50083f71-e3cb-4800-3fe1-############.001

[root@esx-04a:~] vsipioctl getfilters
Filter Name              : nic-#######-eth1-vmware-sfw.2
VM UUID                  : 50 08 3f 71 e3 cb 48 00-3f e1 ## ## ## ## ##
VNIC Index               : 1
VNIC UUID                : 50083f71-e3cb-4800-3fe1-a5f9#########.001
Service Profile          : --NOT SET--
Filter Hash              : 42546
  1. Remove the filter vmware-sfw from the vNIC on the VM world.

Replace the vNIC UUID and World ID by the values noted previously.
In this example, vNIC UUID = 50083f71-e3cb-4800-3fe1-a5f9#######.001 and World ID = 436###

[root@esx-04a:~] vsipioctl setfiltertables -Override -a vmware-sfw -e -n 50083f71-e3cb-4800-3fe1-a5f9#########.001 -w 436295
  1. Confirm the filter vmware-sfw is no longer present on the vNIC:

Search for the VM name in the list. No more slot 2 on the vNIC.
In this example, only slot 12 remains.

[root@esx-04a:~] summarize-dvfilter
world 436295 vmm0:UPSA-1 vcUuid:'50 08 3f 71 e3 cb 48 00-3f e1 a5 ## ## ## ## ##'
 port 33554439 UPSA-1
  vNic slot 12
  name: nic-######-eth1-vmware-si.12
 agentName: vmware-si
   state: IOChain Detached
   vmState: Detached
   failurePolicy: failOpen
   slowPathID: none
   filter source: Dynamic Filter Creation



Additional Information

Impact/Risks:

The vNICs that are not connected to an N-VDS have a DFW dvfilter applied, but no DFW rule can be configured from the NSX-T Manager on it.
However, the DFW dvfilter still inspects and validates the traffic. This might cause some packet drop if the packet is considered invalid.