After NSX-V to T Migration VM traffic may hit DFW default deny rule
search cancel

After NSX-V to T Migration VM traffic may hit DFW default deny rule

book

Article ID: 327291

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:
After an NSX-V to T Migration using Migration Coordinator, VMs with DFW rules may hit unexpected rules after vMotion.

This issue can occur if the combination of all factors below are present for a VM:
  1. vMotion occurs for the VM impacted
  2. The source host (in respect to the vMotion) removed the discovered bindings from the NSX-T Central Control Plane after the destination host added the discovered bindings on Central Control Plane.
  3. NSX-T Trust on First Use is disabled, VM Tools are present on the VM, and NSX-T Duplicate IP Detection is enabled.
Image below:


image.png


Environment

VMware NSX-T Data Center

Cause

NSX T-V to T Migration Coordinator has created a Segment IP Discovery Profile that has both Trust on First Use disabled with Duplicate IP Detection enabled. If the Central Control Plane has two records for the same IP (IE: the receiving host adds its record prior to the sending host in respect to vMotion removing its IP allocation in the Central Control Plane), Duplicate IP Detection may be triggered.

Resolution

This behavior is resolved in NSX T 3.2.0.1 and subsequent releases. 


Workaround:
On NSX-T Segment IP Discovery Profiles, enable Trust on First Use and disable Duplicate IP Detection for the profile created by Migration Coordinator. 


Additional Information

Impact/Risks:
Virtual Machines may experience network connectivity issues if they are using NSX-T Distributed Firewall Rules (DFW).