Symptoms:

• NSX-T 3.1.x is installed

• At the time of the issue, network connectivity to the virtual machines (VM) on VLAN segments is lost. Intermittent packet drops are also observed while pinging the VLAN segment VM from VM residing on DVPG(outside of NSX)
• In the output of 'vsipioctl getdpiinfo -s' command, the *packets_freed_in_error* value will increase when the IDPS is oversubscribed.

The IDPS is oversubscribed on the host the any–any–any for the src/dst/port parameters in the IDPS rules. This leads to all traffic from the concerned VMs being redirected to the IDPS service and potentially causes network / CPU bottlenecks in the dvFilter channel (when packets are punted from DP to the IDPS engine). CPU resource bottleneck is because we cannot reserver CPU cores for the IDPS engine.

• Review existing IDPS and DFW policy; provide recommendations on IDPS policy design based on existing DFW policy (if any) and security requirements with more granular IDPS policy using SRC/DST groups, applied to field and directionality of rules if suitable.
• Define signature profiles based on workload requirements and define the path of implementation for these requirements.
• Revert the IDPS rules to detect and prevent from detect only.