Symptoms:
This issue is resolved in VMware NSX-T Data Center 3.1.2
Workaround:
Note this issue is resolved in NSX-T 3.1.2 which prevents this issue occurring. However if an environment on NSX-T 3.1.0 or 3.1.1 is already impacted, an upgrade to 3.1.2 will not resolve the issue.
This issue is seen only for traffic flows that are allowed by the default rule.
Creating a new catchall allow rule just above the default policy section will remediate the issue.
Create this allow rule on the Policy UI and make the section stateful for A/S routers and make stateless for A/A Gateways.
To permanently resolve the issue, the duplicate default rule must be removed.
This involves 2 steps, running an API delete call and then running the attached script.
The script attached to this KB is a python script and can be run from any machine with python3 installed which has network connectivity to the Manager.
Alternatively if root access to the NSX Manager is allowed the script can be run directly there.
On a 3rd party machine, if necessary Install python pre-requisites library 'requests'
#pip3 install requests
Script usage:
On Linux machine:
python3 default_policy_section_cleanup.py -m <NSX Manager's IP> -u 'admin' -p 'Admin!23Admin'
(note single quotes must be used for the password)
On Mac machine:
python3 default_policy_section_cleanup.py -m <NSX Manager's IP> -u "admin" -p "Admin\!23Admin"
(note \ must be used to escape special characters)