After NSX-V to T Migration VM traffic may hit DFW default deny rule
book
Article ID: 327291
calendar_today
Updated On:
Products
VMware NSX
Issue/Introduction
Symptoms:
After an NSX-V to T Migration using Migration Coordinator, VMs with DFW rules may hit unexpected rules after vMotion.
This issue can occur if the combination of all factors below are present for a VM:
vMotion occurs for the VM impacted
The source host (in respect to the vMotion) removed the discovered bindings from the NSX-T Central Control Plane after the destination host added the discovered bindings on Central Control Plane.
NSX-T Trust on First Use is disabled, VM Tools are present on the VM, and NSX-T Duplicate IP Detection is enabled.
Image below:
Environment
VMware NSX-T Data Center
Cause
NSX T-V to T Migration Coordinator has created a Segment IP Discovery Profile that has both Trust on First Use disabled with Duplicate IP Detection enabled. If the Central Control Plane has two records for the same IP (IE: the receiving host adds its record prior to the sending host in respect to vMotion removing its IP allocation in the Central Control Plane), Duplicate IP Detection may be triggered.
Resolution
This behavior is resolved in NSX T 3.2.0.1 and subsequent releases.
Workaround:
On NSX-T Segment IP Discovery Profiles, enable Trust on First Use and disable Duplicate IP Detection for the profile created by Migration Coordinator.
Additional Information
Impact/Risks:
Virtual Machines may experience network connectivity issues if they are using NSX-T Distributed Firewall Rules (DFW).