Multiple DFW IPFIX issues including no destination port in vRNI raw flows after NSX-T upgrade to 3.2
search cancel

Multiple DFW IPFIX issues including no destination port in vRNI raw flows after NSX-T upgrade to 3.2

book

Article ID: 317772

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • In vRNI collected data flows from NSX contain an empty destination TCP/UDP port number.
  • In NSX-T manager logs, the destination transport port is set to false under “IpfixDfwConfig”

               $ grep -A 3 IpfixD desired_state_manager.json
               "resource_type": "IpfixDfwConfig",
               "template_parameters": {
               "destination_address": true,
               "destination_transport_port": false,

  • Duplicate IPFIX profiles may get created after upgrading to 3.2 under NSX-T Manager View.
  • Manually modified IPFIX profile in the NSX-T UI remains in “in-Progress” status.

Environment

VMware NSX-T Data Center

Cause

When upgrading from 3.x  to 3.2.x, the upgrade process does not convert DFW IPFIX correctly.

Resolution

This issue is resolved in VMware NSX 3.2.2, available at Broadcom downloads.
If you are having difficulty finding and downloading software, please review the Download Broadcom products and software KB

Workaround:

vRNI customers:

  • Disable DFW for NSX monitor in vRNI
  • Wait for at least 2 hours before re-enable it in vRNI to ensure IPFIX profiles are removed completely. 
  • Re-enable DFW monitor in vRNI. 

For non-vRNI customers:

Delete all existing IPFIX profiles then create new DFW IPFIX profiles just like the previous one, destination_transport_port in the new profile will automatically be set to ’True’. 



Steps:
  • Delete DFW IPFIX Profiles in the Policy UI.  If the operation is not allowed by the UI,  user can use API to delete each profiles:
  • DELETE API /api/v1/ipfix/configs/<uuid>   Include  -H "X-Allow-Overwrite: true" in the API header. 



Additional Information

Impact/Risks:

  • Incomplete IPFIX data collection. Destination port should always be included as the first field of the TCP or UDP segment header for vRNI to identity unique applications.
  • An IPFIX profile applied to multiple segments before the upgrade will be duplicated to multiple profiles with the same prefix name in manager UI view, and each profile applies to only one segment.
  • Any attempt to change IPFIX profile via NSX-T policy UI will cause the IPFIX policy remain in “in-Progress” status.

Powered by Wolken Software