We are troubleshooting excessive logging issue on ESXI hosts and found that a large number of WARNING messages relating to DHCP in the logs. The DHCP server's are connected to the NSX-T backed segment.
In the vmkernalwarning.log on the affected ESXi host, we can see the below warning messages:
2023-04-28T00:45:29.526Z cpu74:15496437)WARNING: swsec.throttle: SwSecDhcpParse:348: [nsx@6876 comp="nsx-esx" subcomp="swsec-19232397"]Filter 0x800003e No lease time option in DHCPACK
2023-04-28T00:45:29.526Z cpu74:15496437)WARNING: swsec.throttle: SwSecDhcpParse:348: [nsx@6876 comp="nsx-esx" subcomp="swsec-19232397"]Filter 0x800003e No lease time option in DHCPACK
2023-04-28T00:45:29.526Z cpu74:15496437)WARNING: swsec.throttle: SwSecDhcpParse:348: [nsx@6876 comp="nsx-esx" subcomp="swsec-19232397"]Filter 0x800003e No lease time option in DHCPACK.
The warning seems to be due to DHCP ACK not having the expected lease time option.
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
The root cause of this issue is that DHCPINFORM is added in rfc2131 and is not taken into account in NSX switch-security DHCP parser.
Currently, there is no resolution.
To workaround the issue, we may have to disable DHCP snooping as the IP discovery method, the following setting can be applied:
1. Create a custom IP discovery profile that has every field the same as the existing profile.
2. Disable DHCP snooping
3. Make sure some IP discovery method is still enabled. For example, ARP snooping/vmtools
4. Apply it to the logical segment who is served by the DHCP server.
If only a small amount of VMs are using similar configuration, a custom IP discovery profile can be applied to the switch ports of these VMs. Otherwise, a custom IP discovery profile with DHCP snooping disabled need to be applied to the logical segment.
With this workaround, DHCP packets will no longer be parsed by NSX switch-security. IP discovery can be based on ARP/vmtools but will no longer be using DHCP.
These are warning messages only and have no operational impact on your environment.
The impact of the workaround is that the DHCP Snooping will no longer be used.