• Service VMs (SVM) are dropping traffic in NSX.
• Abnormal traffic is seen coming in and out from the Service VM and managed agents.

The Service VM (SVM) and managed agents should be added to the exclusion list by default.

It is recommended that the Service VM (SVM) and managed agents be placed in the Exclusion List to allow traffic to flow freely. The absence of SVM and agents from Exclusion List can cause abnormal behavior for network traffic coming and going from SVM/managed agents.

• To resolve this issue, ensure that the Service VMs are added to the Exclusion List to allow traffic to flow freely. For more information, see Exclude Virtual Machines from the Firewall Protection section of the NSX admin guide.
• In scenarios, where the system fails to add the Service Insertion SVMs and Malware Prevention VMs to the system-excluded list, add them to the user-excluded list

• To determine if the VMs are off the exclusion list, execute the following on the ESXi host with SVMs.

1. To find the nic name, execute "summarize-dvfilter | grep -i <SVM-name> -A 18"

Here is an example

[root@hnpp-vmhfx23-3:~] summarize-dvfilter | grep -i "SVM-A" -A 18

world 2202628 vmm0:SVM-A vcUuid:'50 3d ab 19 b8 97 0d a4-47 b7 2a 11 aa f8 bb 49'

 port 167772219 SVM-A.eth1

  vNic slot 2

   name: nic-1234xxx-eth1-vmware-sfw.2     <<<< DFW filter

   agentName: vmware-sfw

   state: IOChain Attached

   vmState: Attached

   failurePolicy: failClosed

   serviceVMID: 1

   filter source: Dynamic Filter Creation

   moduleName: nsxt-vsip-23653567

  vNic slot 12

   name: nic-1234xxx-eth1-vmware-si.12  <<<< Service insertion filter name

   agentName: vmware-si

   state: IOChain Attached

   vmState: Detached

   failurePolicy: failOpen

   serviceVMID: none

   filter source: Dynamic Filter Creation

   moduleName: nsxt-vsip-23653567

2. To determine if the SVM has the rules, execute " vsipioctl getrules -f <filter-name>"

Here is an example

[root@hnpp-vmh008:~] vsipioctl getrules -f nic-1234xxx-eth1-vmware-sfw.2             

ruleset mainrs {

  # generation number: 0

  # realization time : 2024-09-24T14:45:00

  # FILTER (APP Category) rules

  rule 1006144 at 1 inout protocol any from any to any accept;

<user sees some rules here, which is NOT intended when the SVMs are in the exclusion list>

  rule 2 at 6 inout protocol any from any to any accept;

}

[root@hnpp-vmh008:~] vsipioctl getrules -f nic-1234xxx-eth1-vmware-si.12

ruleset mainrs {

  # generation number: 0

  # realization time : 2024-09-24T14:20:01

  # FILTER (APP Category) rules

<user sees some rules here, which is NOT intended when the SVMs are in the exclusion list>

  rule 1000 at 14 inout protocol any from any to any pbr pass-through;

}

3. Add the SVMs to the DFW and SI exclusion lists. 

https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-2/administration-guide/security/distributed-firewall/manage-a-firewall-exclusion-list.html       <<< To add VMs to DFW exclude list

https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-2/administration-guide/security/east-west-network-security-chaining-third-party-services/exclude-members-from-a-security-service.html           <<< To add VMs to SI exclude list