Firewall rules are not removed from dvfilter after disconnecting the VM from a logical switch
Article ID: 325111
Updated On:
Products
VMware NSX Networking
Issue/Introduction
Symptoms:
- After disconnecting a VM from an NSX-T logical switch and moving it to a regular distributed port group, some of the DFW rules remain in the dvfilter of the VM, potentially causing unexpected traffic blocks depending on the rules.
- From the ESXi the VM lives on, obtain the VM's filter name by running:
- >summarize-dvfilter
- Note* The VM's filter name should look something like: nic-679396-eth2-vmware-sfw.2
- From the ESXi, run the command
- >vsipioctl getrules -f nic-######-eth2-vmware-sfw.2
- The output still shows rules attached the vNIC that is no longer connected to a NSX-T logical switch
Environment
VMware NSX-T Data Center
VMware NSX-T Data Center 2.x
VMware NSX-T Data Center 2.x
Cause
When a VM is disconnected from a Logical Switch, the filters associated should be removed, but are not
Resolution
Resolution for this issue is expected in a future release for ESXi 6.5 and 6.7.
Workaround:
Add the VM in the NSX-T DFW exclusion list before disconnecting it from the logical switch.
This ensures that all filters are removed from the VM prior to the Logical Switch disconnect, preventing the issue from occuring
Workaround:
Add the VM in the NSX-T DFW exclusion list before disconnecting it from the logical switch.
This ensures that all filters are removed from the VM prior to the Logical Switch disconnect, preventing the issue from occuring
Additional Information
- When a VM is disconnected from an NSX-T logical switch, the firewall rules should be cleared from the dvFilter associated to the VMNIC. We have identified that this is not happening in some specific ESXi versions.
Impact/Risks:
- Depending on the firewall rules still being applied to the virtual nic of the VM, the user could experience unexpected traffic blocks.
Feedback
Yes
No
Powered by
