Guest Introspection driver (vnetWFP) with VMware Tools 12.0 out of box will not intercept ICMP network traffic
Article ID: 313795
Updated On:
Products
VMware vSphere ESXi
VMware Desktop Hypervisor
Issue/Introduction
Symptoms:
After VMware Tools upgrade to 12.x ,NSX IDFW rules configured for ICMP may not work on guest virtual machine installed with VMware Tools 12.x unless ICMP registry settings are explicitly enabled.
After VMware Tools upgrade to 12.x ,NSX IDFW rules configured for ICMP may not work on guest virtual machine installed with VMware Tools 12.x unless ICMP registry settings are explicitly enabled.
Environment
VMware Tools 12.x
Cause
Guest Introspection driver (required for NSX IDFW) by default from Tools 12.0 would not intercept ICMP network traffic.
Due to intermittent packet drop issue seen with usage of Microsoft WFP packet injection API, ICMP packet interception has been disabled by default on VM Tools 12.x.
For more details on packet drop issue, see Network timeouts or packet drops with VMware Tools 11.x with Guest Introspection Driver (79185)
Due to intermittent packet drop issue seen with usage of Microsoft WFP packet injection API, ICMP packet interception has been disabled by default on VM Tools 12.x.
For more details on packet drop issue, see Network timeouts or packet drops with VMware Tools 11.x with Guest Introspection Driver (79185)
Resolution
Currently there is no resolution.
Workaround:
While the Fix is being worked on, please follow the below steps to workaround the issue:
With VMware Tools 11.2.6, following registry setting can be used to enable/disable the ICMP/UDP protocol support for the GI :
- Click Start > Run, type regedit, and click OK. The Registry Editor window opens.
- Create the following key using the registry editor:
HKEY_LOCAL_Machine\SYSTEM\CurrentControlSet\services\vnetwfp\parameters
- Create a DWORD value, named ksam_otorp, under the newly created parameters key:
Note: Ensure that Hexadecimal is selected when putting in these values. The ‘0x’ means hexadecimal, you should not enter ‘0x’ while adding the values in the registry. Selecting hexadecimal is enough.
Possible Values for ksam_otorp:
0x400 - To enable filtering of UDP messages, disable ICMP
0x800 - To enable filtering of ICMP messages, disable UDP
0xC00 - To enable filtering of ICMP and UDP messages
0x0 - To disable filtering of both ICMP and UDP messages
Note : TCP filtering is always enabled and cannot be controlled by registry settings.
Possible Values for ksam_otorp:
0x400 - To enable filtering of UDP messages, disable ICMP
0x800 - To enable filtering of ICMP messages, disable UDP
0xC00 - To enable filtering of ICMP and UDP messages
0x0 - To disable filtering of both ICMP and UDP messages
Note : TCP filtering is always enabled and cannot be controlled by registry settings.
- With VMware Tools 12.x, the key can be deleted to get the default behavior (i.e. only ICMP protocol disabled).
Note: The 'parameter' key will be deleted during a VMware Tools upgrade.
Feedback
Yes
No
Powered by
