L7 DFW Rules don't take effect when performing hot add memory or storage vMotion.
Article ID: 307347
Updated On:
Products
VMware NSX
Issue/Introduction
Symptoms:
Active L7 flows which are migrated as part of a vMotion may lose connectivity.
The issue is resolved when DFW rules are republished after the vMotion import, or VMs are placed in the exclusion list.
The issue can occur with both VMs on VXLAN and VLAN backed port groups.
Environment
VMware NSX Data Center for vSphere 6.4.x
Cause
This issue affects active flows which had matched L7 allow rules prior to a vMotion.
Upon import of the DFW state on the destination host, these flows may miss the expected L7 rule and match a lower priority L4 rule.
If the action associated with the newly-matched rule is DROP, then the flow will become disconnected.
The source of the problem is the failure of the attribute tree to be part of the exported DFW data when performing a vMotion.
Once the DFW configuration is reprogrammed from the control plane after the import, new flows will match L7 rules as expected.
This issue only affects flows which have matched L7 allow rules prior to vMotion. Flows matching L4 DFW rules are not impacted.
Upon import of the DFW state on the destination host, these flows may miss the expected L7 rule and match a lower priority L4 rule.
If the action associated with the newly-matched rule is DROP, then the flow will become disconnected.
The source of the problem is the failure of the attribute tree to be part of the exported DFW data when performing a vMotion.
Once the DFW configuration is reprogrammed from the control plane after the import, new flows will match L7 rules as expected.
This issue only affects flows which have matched L7 allow rules prior to vMotion. Flows matching L4 DFW rules are not impacted.
Resolution
Currently there is no resolution to this issue
Workaround:
Currently there is no workaround for this issue.
Feedback
Yes
No
Powered by
