"Challenge ack" is not supported on NSX-T Gateway Firewall
search cancel

"Challenge ack" is not supported on NSX-T Gateway Firewall

book

Article ID: 318298

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • The flow is being dropped by Gateway Firewall rule.

  • The rule dropping the packets is expected to allow the flow. (Example: Any / Any / Allow).

  • On the Edge where the Tier1 or Tier0 is active, the connection remains in SYN_SENT:SYN_SENT state:

    edge01> get firewall <SR Interface> connection | find <port>
    10.10.#.#:871 -> 172.20.#.#:2049 dir out protocol tcp state SYN_SENT:SYN_SENT f-20220 n-0
    If logging is enabled for a gateway firewall, gateway firewall packets will be logged.
    The log file is /var/log/firewallpkt.log. Please refer Gateway Firewall Packet Logs to know the meaning of each field.

  • Capturing the traffic the following pattern is seen:

    The source IP is sending SYN to initiate the traffic.

    19    2021-04-11 10:45:42.109087    10.10.#.#    172.20.#.#    TCP    2049    74    10.10.#.#    871 → 2049 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1794759560 TSecr=0 WS=128
         The destination is replying with an ack (Challenge ack).
       
         20    2021-04-11 14:45:42.109846    172.20.#.#    10.10.#.#    TCP    871    66    172.20.#.#    2049 → 871 [ACK] Seq=1 Ack=3494989085 Win=9344 Len=0 TSval=2614203417 TSecr=624590325
 
         
         These symptoms are not seen with NSX-T Distributed Firewall.

Environment

  • VMware NSX-T Data Center
  • VMware NSX-T Data Center 3.x

Cause

Protocols like NFS (Port 2049) will keep the session established on the server side. As soon as the client reach with a SYN matching the established session, the server will reply with an ACK.

As the NSX-T Edge doesn't support challenge ack mechanism the packet is dropped by the firewall which is expecting to see a 3-way handshake.

Resolution

This issue is resolved in NSX-T Data Center 3.1.3, see Download Broadcom products and software.

Workaround:
There are three possible workarounds:

  • Create a stateless section and two rules to match the flow in both directions.
  • By resetting the session on the server, a new TCP session will be established with a 3-way handshake.
  • Create an SNAT Rule to mask the source IP and force the firewall to init track of the session.



Powered by Wolken Software