vNic gets disconnected after migrating the VM from a Network Introspection prepared cluster to a non-prepared cluster
search cancel

vNic gets disconnected after migrating the VM from a Network Introspection prepared cluster to a non-prepared cluster

book

Article ID: 330248

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Migrating a VM from a cluster that is prepared for 3rd party Network Introspection to a cluster that is not prepared for 3rd party Network Introspection results in VM vNic get disconnected.

  • In the vmkernel.log of the ESXi host, you see an error similar to:
<Date>T<Time>Z cpu16:11678989)Net: 2312: connected pfrdmwsweba01_clone.eth0 eth0 to vDS, portID <ID>
<Date>T<Time>Z  cpu16:11678989)Net: 3127: associated dvPort <ID> with portID <ID>
<Date>T<Time>Z  cpu16:11678989)DVFilter: 3564: Could not find filter 'serviceinstance-#'
<Date>T<Time>Z  cpu16:11678989)DVFilter: 5507: Failed to add filter serviceinstance-# on vNic 0 slot 4: Not found
<Date>T<Time>Z  cpu16:11678989)WARNING: Net: 3159: DVFilterActivateCommon failed: Failure
<Date>T<Time>Z  cpu16:11678989)Net: 3348: dissociate dvPort <ID> from port <ID>
<Date>T<Time>Z  cpu16:11678989)Net: 3354: disconnected client from port <ID>



Cause

This is as per design. All the VM's in the cluster have a filter to redirect traffic to the 3rd Party VM and when you migrate the VM to a non-prepared cluster its vNic get disconnected as the cluster is not prepared for that service.

Resolution

VMware recommends avoiding migration of VMs between a Network Introspection prepared Cluster to a non-prepared cluster.
 
To resolve the issue, Install the Network Introspection on the other cluster so that a service profile will be created on it.
 
To work around the issue: set the security policy to fail open by following methods:
 
  • If the security policy is used:
  1. Apply security group to security policy.
  2. Change the value of failOpen key to true in the service profile
  3. Publish service profile.
  4. Reapply security policy to the security group.
  • If partner security tab is used for configuring service insertion/netX rules:
  1. Remove binding of security group / dvportgroup / virtual wire from service profile.
  2. Change value of failOpen key in service profile to true.
  3. Publish service profile.
  4. Add security group / dvportgroup / virtual wire to service profile binding.
 

Note: This solution is not recommended for security reasons. Putting the security policy to failOpen means that if the security policy check fails, the communication will stay open.

Powered by Wolken Software