• You are using NSX for vSphere
• After redeployment of ESG, backend servers are unavailable
• Disabling and enabling the edge firewall re-establishes the connection
• ESG uplink interface has multiple primary IPs
• Checking vshield_edge_flow_table in the edge logs you can see the SYN_RECV reply from the backend server reaching the ESG:

• In a working environment we expect to see the connection ESTABLISHED as per the below example:

• The expected packet flow is as follows:
  • Ingress to ESG > DNAT > To DST > From DST > SNAT > Egress ESG
• Witnessed packet flow:
  • Ingress to ESG > DNAT > To DST > From DST > SNAT 

• Packet capturing on the uplink interface of the ESG you can see ARP requests.

NOTE: The preceding log excerpts are only examples. Date, time and environmental variables may vary depending on your environment.

NSX for vSphere 6.4.x

• This issue is due to the return packet not exiting the ESG uplink interface via correct primary address
• Capturing on the uplink interface of the ESG you can see ARP requests
  • The ARP is for one of the primary IP addresses of the uplink interface, however as it is on a different subnet to the default gateway the traffic is dropped
• The pick of the src IP address in the arp request is random. In this instance it picked the incorrect primary IP
  • To confirm this run the below GET API on the edge:
    • GET /api/4.0/edges/{edgeId}/systemcontrol/config

• • • The expected response is below(announce=0):

• After disabling and re-enabling firewall the correct src IP address is selected so connectivity is restored

• Use the below API to change the values of sysctl to 1 which requires the ARP source address must be part of target network.

• The API call persists after upgrade, reboot and shutdown.

NOTE: You can use the following KB article to configure the Postman API client for use with the NSX manager - Configure POSTMAN for REST API Calls with NSX-V