Traffic bypassing SVMs after vMotion in NSX-T
search cancel

Traffic bypassing SVMs after vMotion in NSX-T


Article ID: 311841


Updated On:


VMware NSX Networking


Guest VM connected to NSX-T segment and integrates with 3rd party SVM for traffic processing. After Guest VM vMotion, the traffic is no longer redirecting to SVM for processing and bypass it completely.

Guest VM need to start a new session to redirect traffic to SVM for processing again.

This can be verified by running esxtop command on the ESXi host where the SVM reside, press n for networking view to confirm traffic going through the SVM interface.


VMware NSX-T Data Center


During Guest VM vMotion, NSX is not able to learn the IP address of the VM since VMware tools service will be stop and start again after vMotion is completed. Therefore, Guest VM traffic will not match the security policies and redirect to SVM for processing during this time.


This is a known issue in NSX-T 3.x. DHCP snooping and VM tools is vMotion aware from NSX-T 4.1.1.

Create a new IP discovery profile, disable DHCP snooping and enabled ARP snooping while keep everything else as default. Apply it to the NSX segment. This will allow NSX to also learn IP address of the Guest VM via ARP snooping rather relying on only VMware tools running.

Please refer to KB below for more details.