VMware NSX Virtual Machine on Vlan segment loses connectivity intermittently with IDPS rules enabled.
search cancel

VMware NSX Virtual Machine on Vlan segment loses connectivity intermittently with IDPS rules enabled.

book

Article ID: 313085

calendar_today

Updated On:

Products

VMware NSX Networking VMware NSX

Issue/Introduction

Symptoms:

  • NSX-T 3.1.x is installed
  • At the time of the issue, network connectivity to the virtual machines (VM) on VLAN segments is lost. Intermittent packet drops are also observed while pinging the VLAN segment VM from VM residing on DVPG(outside of NSX)
  • In the output of 'vsipioctl getdpiinfo -s' command, the *packets_freed_in_error* value will increase when the IDPS is oversubscribed.



Environment

VMware NSX-T Data Center 3.x
VMware NSX-T Data Center
VMware NSX-T

Cause

The IDPS is oversubscribed on the host the any–any–any for the src/dst/port parameters in the IDPS rules. This leads to all traffic from the concerned VMs being redirected to the IDPS service and potentially causes network / CPU bottlenecks in the dvFilter channel (when packets are punted from DP to the IDPS engine). CPU resource bottleneck is because we cannot reserver CPU cores for the IDPS engine.

Resolution

This is a known issue impacting VMware NSX.

Workaround:
  • Review existing IDPS and DFW policy; provide recommendations on IDPS policy design based on existing DFW policy (if any) and security requirements with more granular IDPS policy using SRC/DST groups, applied to field and directionality of rules if suitable.
  • Define signature profiles based on workload requirements and define the path of implementation for these requirements.
  • Revert the IDPS rules to detect and prevent from detect only.


Additional Information

Impact/Risks:
Packets get dropped intermittently over the network.