Stateful unidirection DFW rule have different behaviour in NSX-V vs NSX-T for TFTP
Article ID: 311858
Updated On:
Products
VMware NSX
Issue/Introduction
Symptoms:
After a V to T migration, the same stateful unidirection DFW rule created in NSX-V does not work in NSX-T for TFTP traffic. TFTP traffic is being blocked in the outbound direction.
In NSX-V, user only needed to create a single TFTP rule to allow the traffic to the TFTP server for IN direction. The outbound traffic from the TFTP server will go through fine and there is no need to create a second rule to allow the OUT direction.
However, user is required to create a second rule to allow the OUT direction traffic in NSX-T for TFTP.
After a V to T migration, the same stateful unidirection DFW rule created in NSX-V does not work in NSX-T for TFTP traffic. TFTP traffic is being blocked in the outbound direction.
In NSX-V, user only needed to create a single TFTP rule to allow the traffic to the TFTP server for IN direction. The outbound traffic from the TFTP server will go through fine and there is no need to create a second rule to allow the OUT direction.
However, user is required to create a second rule to allow the OUT direction traffic in NSX-T for TFTP.
Environment
VMware NSX-T Data Center
VMware NSX-T Data Center 3.x
VMware NSX-T Data Center 3.x
Cause
TFTP traffic is not intended to use a single in/out rule. TFTP can be set to use a custom port, but this was not possible using NSX-V rules. This was fixed in NSX-T.
Resolution
This is a known issue in NSX-V and resolved in NSX-T. NSX-T is behaving correctly where a additional rule is required to allow the outbound traffic from the TFTP server.
This issue does not impact other AGL services (such as FTP, CIFS, ORACLE TNS, MS-RPC, and SUN-RPC). It is specific to TFTP service only.
This issue does not impact other AGL services (such as FTP, CIFS, ORACLE TNS, MS-RPC, and SUN-RPC). It is specific to TFTP service only.
Feedback
Yes
No
Powered by
