Symptoms:
Example:
[root@esx-04a:~] summarize-dvfilter world 436295 vmm0:UPSA-1 vcUuid:'50 08 3f 71 e3 cb 48 00-3f e1 ## ## ## ## ##' port 33554439 UPSA-1 vNic slot 2 name: nic-#####-eth1-vmware-sfw.2 <<<<< agentName: vmware-sfw state: IOChain Detached vmState: Detached failurePolicy: failClosed slowPathID: none filter source: Dynamic Filter Creation
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Make sure the format is correct, clear, bullet points are used appropriately, or numbered list.
This issue is resolved in NSX-T 2.5.0.
As it is not possible from a product standpoint to completely remove the NSX-T DFW dvfilter from vNICs that are not connected to an N-VDS, the default behavior of such DFW dvfilter is changed in NSX-T 2.5.0.
The DFW dvfilter will bypass traffic inspection and validation if no DFW rule is configured in it. As vNICs not connected to N-VDS do not receive any DFW rule configuration, the traffic will be untouched on such vNICs.
Workaround:
If the presence of the DFW dvfilter causes a traffic issue, as a temporary workaround, it can be manually removed from the vNIC:
Search for the VM name in the list.
In this example, World ID = 436295
[root@esx-04a:~] esxcli vm process list UPSA-1 World ID: 436295 Process ID: 0 VMX Cartel ID: 436294 UUID: 42 08 06 31 ac a4 62 b9-59 ## ## ## ## Display Name: UPSA-1 Config File: /vmfs/volumes/5c828646-ece0268c-434d-00505601b16e/UPSA-1/UPSA-1.vmx
Search for the VM name and vNIC in the list.
In this example, filter = nic-######-eth1-vmware-sfw.2
[root@esx-04a:~] summarize-dvfilter world 436295 vmm0:UPSA-1 vcUuid:'50 08 3f 71 e3 cb 48 00-3f ## ## ## ## ##' port 33554439 UPSA-1 vNic slot 2 name: nic-#######-eth1-vmware-sfw.2 agentName: vmware-sfw state: IOChain Detached vmState: Detached failurePolicy: failClosed slowPathID: none filter source: Dynamic Filter Creation vNic slot 12 name: nic-#####-eth1-vmware-si.12
Search for the filter name found previously.
In this example, vNIC UUID = 50083f71-e3cb-4800-3fe1-############.001
[root@esx-04a:~] vsipioctl getfilters Filter Name : nic-#######-eth1-vmware-sfw.2 VM UUID : 50 08 3f 71 e3 cb 48 00-3f e1 ## ## ## ## ## VNIC Index : 1 VNIC UUID : 50083f71-e3cb-4800-3fe1-a5f9#########.001 Service Profile : --NOT SET-- Filter Hash : 42546
Replace the vNIC UUID and World ID by the values noted previously.
In this example, vNIC UUID = 50083f71-e3cb-4800-3fe1-a5f9#######.001 and World ID = 436###
[root@esx-04a:~] vsipioctl setfiltertables -Override -a vmware-sfw -e -n 50083f71-e3cb-4800-3fe1-a5f9#########.001 -w 436295
Search for the VM name in the list. No more slot 2 on the vNIC.
In this example, only slot 12 remains.
[root@esx-04a:~] summarize-dvfilter world 436295 vmm0:UPSA-1 vcUuid:'50 08 3f 71 e3 cb 48 00-3f e1 a5 ## ## ## ## ##' port 33554439 UPSA-1 vNic slot 12 name: nic-######-eth1-vmware-si.12 agentName: vmware-si state: IOChain Detached vmState: Detached failurePolicy: failOpen slowPathID: none filter source: Dynamic Filter Creation
Impact/Risks:
The vNICs that are not connected to an N-VDS have a DFW dvfilter applied, but no DFW rule can be configured from the NSX-T Manager on it.
However, the DFW dvfilter still inspects and validates the traffic. This might cause some packet drop if the packet is considered invalid.