In NSX-T the Tier-1 Gateway Firewall drops packets when default allow any any is configured for that traffic
search cancel

In NSX-T the Tier-1 Gateway Firewall drops packets when default allow any any is configured for that traffic

book

Article ID: 318309

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

1. Packets get dropped intermittently by the Gateway Firewall on the T1. Identical flow same SRC & DST
2. when the command "get firewall <interface UUID>  interface stats is executed a few seconds apart, you can see the drop counters increasing and flow caches missing
3. Traceflow is going to indicate that the T1 Gateway Firewall drops the packet at T1 Uplink with the default Rule Allow Any-Any

Environment

VMware NSX-T Data Center
VMware NSX-T Data Center 3.x

Cause

Some Firewall/NAT sessions remain in the session table post expiry of the session timer and become Zombie sessions. If there is a new flow with the same 5 tuple traffic (Src/Dst IP, Src/Dst Port, Protocol) the edge firewall/NAT logic will drop this packet. In the fixed versions of NSX-T, the code prevents the creation of the Firewall/NAT Zombie sessions and provides a CLI enhancement to debug the issue.

Resolution

The resolution for this issue is to upgrade the environment to 3.1.3 or later.

Workaround:
As a workaround, add a stateless firewall rule on top of the existing rule.

This will not maintain any connection state and thus cannot have the Failed expected state problem.

Additional Information

Impact/Risks:
The environment may experience outage or slowness as the traffic between the Tenants is dropped.

Powered by Wolken Software