NSX-T is generating a large number of DHCPACK WARNING messages related to DHCP on the ESXi host.
search cancel

NSX-T is generating a large number of DHCPACK WARNING messages related to DHCP on the ESXi host.

book

Article ID: 312975

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

You are troubleshooting excessive logging issue on ESXI hosts and found that a large number of WARNING messages relating to DHCP in the logs. The DHCP server's are connected to the NSX-T backed segment.

In the vmkernalwarning.log on the affected ESXi host, we can see the below warning messages:

2023-04-28T00:45:29.526Z cpu74:15496437)WARNING: swsec.throttle: SwSecDhcpParse:348: [nsx@6876 comp="nsx-esx" subcomp="swsec-1###2397"]Filter 0x800003e No lease time option in DHCPACK
2023-04-28T00:45:29.526Z cpu74:15496437)WARNING: swsec.throttle: SwSecDhcpParse:348: [nsx@6876 comp="nsx-esx" subcomp="swsec-1###32397"]Filter 0x800003e No lease time option in DHCPACK
2023-04-28T00:45:29.526Z cpu74:15496437)WARNING: swsec.throttle: SwSecDhcpParse:348: [nsx@6876 comp="nsx-esx" subcomp="swsec-1###2397"]Filter 0x800003e No lease time option in DHCPACK.

The warning seems to be due to DHCP ACK not having the expected lease time option.

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

Environment

VMware NSX-T Data Center

Cause

The root cause of this issue is that DHCPINFORM is added in rfc2131 and is not taken into account in NSX switch-security DHCP parser.

Resolution

Currently, there is no resolution.

Workaround:
To workaround the issue, we may have to disable DHCP snooping as the IP discovery method, the following setting can be applied:

  • Create a custom IP discovery profile that has every field the same as the existing profile.
  • Disable DHCP snooping
  • Make sure some IP discovery method is still enabled. For example, ARP snooping/vmtools
  • Apply it to the logical segment who is served by the DHCP server.

If only a small amount of VMs are using similar configuration, a custom IP discovery profile can be applied to the switch ports of these VMs. Otherwise, a custom IP discovery profile with DHCP snooping disabled need to be applied to the logical segment.

With the above workaround, DHCP packets will no longer be parsed by NSX switch-security. IP discovery can be based on ARP/vmtools but will no longer be using DHCP.

Additional Information

The affected product versions are as below:-
ESXi versions: 7.0U3
NSX-T versions: 3.2.0.1

Impact/Risks:
These are warning messages only and have no operational impact on your environment.
The impact of the workaround is that the DHCP Snooping will no longer be used.



Powered by Wolken Software