Symptoms:
Non-working condition:
Container set (Security Group containing IPSet as 0.0.0.0 or 0.0.0.0/32)
vsipioctl getaddrsets -f nic-69152-eth0-vmware-sfw.2
addrset ip-ipset-4
{
} -----------> empty here
DFW dropping the packets as it hits default deny since it cant match the correct rule as addrsets is empty.
OR
0.0.0.0/32 configured along with 10.0.0.0/32 IP, only 10.0.0.0 shows up in address sets
] vsipioctl getaddrsets -f nic-69152-eth0-vmware-sfw.2 | grep -A 3 23869
addrset rsrc23869 {
ip 222.0.0.0,
}
addrset src21978 {
[root@sc2-rdops-vm09-dhcp-61-132:/var/log] vsipioctl getrules -f nic-69152-eth0-vmware-sfw.2 | grep 23869
rule 23869 at 4 inout protocol any from addrset rsrc23869 to any accept with log;
This issue is resolved in VMware NSX for vSphere 6.3.7, available at VMware Downloads.
In VMware NSX for vSphere 6.4.1 a ‘Critical’ event will be generated for an IPSet containing either 0.0.0.0 or 0.0.0.0/32 address'