After NSX-V to NSX-T Migration, Virtual Machines lose network connectivity after vMotioning to a new NSX prepared host.
search cancel

After NSX-V to NSX-T Migration, Virtual Machines lose network connectivity after vMotioning to a new NSX prepared host.

book

Article ID: 317206

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

This KB is intended to explain the cause of the symptom and provide a resolution.

Virtual Machines lose network connectivity after being migrated to a different NSX-T prepared host.

Log messages similar to the following are found in vmkernel.log:

2023-06-01T03:07:49.146Z cpu80:2098122)Restore state called for filter nic-256218306-eth0-vmware-sfw.2
2023-06-01T03:07:49.146Z cpu80:2098122)Sending message to cfgAgent to raising alarm for filter import failure
2023-06-01T03:07:49.146Z cpu80:2098122)unsupported version: 5

 

 

Environment

VMware NSX-T Data Center
VMware NSX 4.1.0
VMware NSX 4.0.0.1
VMware NSX-T Data Center 3.x

Cause

Beginning in NSX-T 3.2, filter export versions less than 1000 are not supported during migration.  See Configure Export Version of Distributed Firewall Filter on Hosts  for explicit details.

Resolution

For each host, complete the following steps.

  • Log into the command-line interface.
  • Retrieve the Distributed Firewall filter for the host.

[root@esxi:~] vsipioctl getfilters | grep "Filter Name" | grep "sfw.2"

name: nic-2112467-eth0-vmware-sfw.2
name: nic-2112467-eth1-vmware-sfw.2
name: nic-2112467-eth2-vmware-sfw.2

  • Use the filter information to retrieve the export version for the host.

[root@esxi:~] vsipioctl getexportversion -f nic-2112467-eth0-vmware-sfw.2
Current export version: 500
 

  • If the version is not 1000, set the export version by using any one of the following methods:
  • Method 1: Run the vsipioctl setexportversion command.

root@esxi:~] vsipioctl setexportversion -f nic-2112467-eth0-vmware-sfw.2 -e 1000

  • Method 2: Disable and then enable Distributed Firewall on the cluster.

    In the vSphere Client, navigate to Networking and Security > Installation and Upgrade > Host Preparation. Select the cluster and click Actions > Disable Firewall. After the firewall is disabled, click Actions > Enable Firewall.

  • Verify that the export version is updated

[root@esxi:~] vsipioctl getexportversion -f nic-2#####7-eth0-vmware-sfw.2
Current export version: 1000

Workaround:
A temporary workaround can be performed by disconnecting the VM from the NSX network, connecting it to a non-NSX network, and returning the VM to the NSX network

Additional Information

Configure Export Version of Distributed Firewall Filter on Hosts

Impact/Risks:
After migration, VMs will have no network connectivity until their networks are disconnected and reconnected.

Powered by Wolken Software