vsipioctl getrules
command against these impacted VM filter you receive output as No rules / No root rule set.VMware NSX-T Data Center
VMware NSX
In NSX-T Security Only prepared cluster this issue is seen where the NSX Manager has dependency on vCenter to get a valid lport_attachment_id for the VM's and if the VM has a valid id the DFW rules get applied.
In scenarios when ephemeral DVS port groups are being used by the VMs, these port groups can be modified from ESXi host UI/API as these have Port Binding in DVS port groups being set to ephemeral-no binding.
When the vCenter is down or inaccessible, if there are any Power OFF/ON performed for the VM's directly from the Host UI/API or any modification to VM port group can lead to this issue.
As from the Host UI/API when these activities are performed ESXi provide an attachment_id that is less than 4 characters in case If an attachment_id is less than 4 characters, then it is not considered as a valid ID by nsx-datapath. Hence, these VM's will not get DFW rules applied.
=============================================================================
The desired state manager logs can help identify the lport_attachment_id
The lport_attachement_id for a working VM in the Security Only Cluster, where the valid lport_attachement_id is allocated by the vCenter has a higher value as shown below and the DFW rules get applied fine.
"lport_attachment_id": "424579489",
"lport_attachment_id": "1360516542",
"lport_attachment_id": "1283154804",
The lport_attachement_id for VM's that are assigned by the ESXi Host it is having value that is less than 4 characters and where DFW rules does not get applied.
"lport_attachment_id": "1",
"lport_attachment_id": "3",
The lport_attachement_id for VM's that are assigned by the NSX Manager have a UUID that is for the clusters which are prepared for both Networking and Security where DFW rules get applied.
"lport_attachment_id": "22edae7b-4686-4795-bed5-b0d0ba8a911d",
"lport_attachment_id": "d8758e75-d46a-4663-abdb-d279cfc1fcd2",
"lport_attachment_id": "ea00d002-3efc-43ea-97f8-9369a21dc071",
This issue is resolved in VMware NSX 4.2.0
Workaround:
This issue is not seen if modification to the VM port group is performed from the vCenter UI as vCenter provides a valid lport_attachment_id to VM which then is used by NSX and the DFW rules get applied properly.
The workaround involves creating a temporary DVS port group that mimics the same VLAN and other attributes as the original DVS port group and edit setting for the impacted VM from vCenter UI and moving to temporary port group and bringing back to original port group helps in getting a valid lport_attachment_id from vCenter.
The workaround below is for the Management vCenter that was added as the first Compute Manager in NSX-T where the DFW rules does not get applied below procedure can be also followed for other VM's having similar issue.
NOTE: You need to change the port group used by the vCenter currently. DO NOT DISCONNECT the network adapter as that will lead to vCenter VM to be off of the Network.
Create temporary portgroup:
Workaround Steps:
summarize-dvfilter
vsipioctl getrules -f <FIlter name>
NSX-T DFW rules will not get applied to the VM's when there are modification to port groups or Power OFF/ON activity performed on these VM's directly from the HOST UI/API having ephemeral binding port groups.
This issue is also seen in vCenter VM that is added as the first Compute Manager in NSX-T that is used as a Management vCenter to deploy other two NSX-T Manager appliance.