HCX - Virtual machine does not receive a DCHP Server Offers on NSX-T backed HCX extended networks
Article ID: 321662
Updated On:
Products
Issue/Introduction
A virtual machine with DHCP enabled is Bulk migrated or rebooted on an HCX extended network, it is not able to receive an IP address via DHCP
Environment
Cause
There are two primary conditions within NSX-T that cause this behavior:
Default Segment Security Policy Restrictions
When HCX extends a network to an NSX-T backed vSphere environment, the default-segment-security-policy is applied by default. This policy has DHCP Server Block enabled, which drops DHCP offers.
Distributed Firewall (DFW) Blocking
Even if a custom segment security profile is applied with both DHCP Server Block and DHCP Client Block set to Disabled, the Distributed Firewall (DFW) will block DHCP requests from the client if there is no explicit rule allowing the DHCP broadcast traffic.
Resolution
If issue with Segment Security Profile follow below steps:
-
Log in to the NSX-T Manager.
-
Create a new Segment Security Profile with DHCP Filtering (both Server and Client Block) set to Disabled.
-
Apply this new Segment Security Profile to any HCX extended networks that rely on DHCP for IP addressing.
- Note: HCX Network Extension to NSX-T backed SDDCs in VMware Cloud on AWS automatically adjusts the Segment Profile to allow DHCP requests.
If issue with Distributed Firewall follow below steps:
-
Log in to the NSX-T Manager.
-
Navigate to the Distributed Firewall (DFW) configuration.
-
Create a DFW rule with the destination set to the broadcast address
255.255.255.255/32and the action set to Allow to permit DHCP traffic.
Note: Starting from VMware Cloud on AWS SDDC version M16, an internal rule exists automatically to allow DHCP traffic.
Feedback
