When IDPS/IDS is enabled, traffic experiences latency and packet drops
Article ID: 317180
Updated On:
Products
VMware vDefend Firewall
Issue/Introduction
- IDPS/IDS enabled even in detection-only mode
- IDS/IDPS is enabled on an src:Any dst:Any prot:Any rule
- Traffic experiences latency and packet drops
- On ESXi host, /var/run/log/vmkernel.log indicate the idps service is crashing
2022-06-01T22:25:14.510Z cpu5:8477707)UserDump: 2635: W#04: Dumping cartel 8477657 (from world 8477707) to file /var/core/nsx-idps-zdump.003
Environment
VMware NSX-T Data Center 3.x
Cause
When a src:Any dst:Any prot:Any rule is created for IDPS, it results in all traffic going through the IDPS service.
In a busy environment, it is possible this may exhaust the memory pool available to the IDPS service running on the ESXi host.
As a result the service will crash and restart. When this happens traffic is dropped.
In a busy environment, it is possible this may exhaust the memory pool available to the IDPS service running on the ESXi host.
As a result the service will crash and restart. When this happens traffic is dropped.
Resolution
This is a known issue impacting NSX-T Data Center, there is currently no resolution
Workaround:
Remove the Any Any rule and replace it with specific rules targeted to traffic flows to be observed.
Feedback
Yes
No
Powered by
