[VMC on AWS] Asymmetric traffic path may cause packet drops in a VMC SDDC
Article ID: 319762
Updated On:
Products
VMware Cloud on AWS
Issue/Introduction
This article provides information regarding stateful behavior of the NSX-T Distributed Firewall in an asymmetric routing environment.
Symptoms:
When asymmetric traffic path (the request and response traffic use a different network path) is configured by 3rd party load balancer, the packets will be dropped by NSX-T Distributed Firewall and the network performance may be degraded.
Symptoms:
When asymmetric traffic path (the request and response traffic use a different network path) is configured by 3rd party load balancer, the packets will be dropped by NSX-T Distributed Firewall and the network performance may be degraded.
Cause
Distributed Firewall (DFW) is a stateful firewall that runs on all SDDC hosts, and because of the DFW stateful nature, asymmetric traffic will be dropped by default.
Resolution
After SDDC version 1.9, an option is added to make a section of the DFW rules stateless to enable asymmetric traffic to go through.
1. Click "Advanced Configuration" icon on the right side for the policy settings
2. Disable "Stateful" and click APPLY
1. Click "Advanced Configuration" icon on the right side for the policy settings
2. Disable "Stateful" and click APPLY
Feedback
Yes
No
Powered by
