After NSX-V to T Migration VM traffic may hit DFW default deny rule
search cancel

After NSX-V to T Migration VM traffic may hit DFW default deny rule


Article ID: 327291


Updated On:


VMware NSX Networking


After an NSX-V to T Migration using Migration Coordinator, VMs with DFW rules may hit unexpected rules after vMotion.

This issue can occur if the combination of all factors below are present for a VM:
  1. vMotion occurs for the VM impacted
  2. The source host (in respect to the vMotion) removed the discovered bindings from the NSX-T Central Control Plane after the destination host added the discovered bindings on Central Control Plane.
  3. NSX-T Trust on First Use is disabled, VM Tools are present on the VM, and NSX-T Duplicate IP Detection is enabled.
Image below:



VMware NSX-T Data Center


NSX T-V to T Migration Coordinator has created a Segment IP Discovery Profile that has both Trust on First Use disabled with Duplicate IP Detection enabled. If the Central Control Plane has two records for the same IP (IE: the receiving host adds its record prior to the sending host in respect to vMotion removing its IP allocation in the Central Control Plane), Duplicate IP Detection may be triggered.


This behavior is resolved in NSX T and subsequent releases. 

On NSX-T Segment IP Discovery Profiles, enable Trust on First Use and disable Duplicate IP Detection for the profile created by Migration Coordinator. 

Additional Information

Virtual Machines may experience network connectivity issues if they are using NSX-T Distributed Firewall Rules (DFW).