IPv4 IP address do not get auto approved when SpoofGuard policy is set to Trust On First Use (TOFU)
book
Article ID: 339159
calendar_today
Updated On:
Products
VMware NSX
Issue/Introduction
Symptoms:
IPv4 address do not get auto approved when SpoofGuard policy is set to Trust On First Use (TOFU)
IPv6 address link local address gets auto approved, IPv4 address must be manually approved
Environment
VMware NSX for vSphere 6.3.x VMware NSX for vSphere 6.2.x
Cause
This issue occurs due to these conditions:
The NSX Manager Trust On First Use (TOFU) does not take in to account both IPv4 and IPv6 separately and allocates only one address as a TOFU address.
The IPv6 address is reported to the NSX Manager from the hypervisor before the IPv4 address. This explains why the IPv6 address is the one marked as TOFU in the vSphere Web Client SpoofGuard management console.
Resolution
This issue is resolved in VMware NSX for vSphere 6.3.0.
To work around this issue if you do not want to upgrade, apply one of these workarounds:
Workaround 1: When SpoofGuard is enabled, deselect local addresses.
In the vSphere Web Client, navigate to Administration > Networking & Security > SpoofGuard.
Select the relevant SpoofGuard policy.
Click on the pencil icon which opens the Edit Policy wizard.
Uncheck the Allow local address (169.254.0.0/16) and fe80::/64) as valid address in this namespace.
Click Next.
Click Finish.
Note: This option does not guarantee that an IPv6 address would not be reported before the IPv4 address, this option is only effective if IPv6 is not configured or required for the virtual machine.
Workaround 2: Disable IP discovery (set it to None).
In the vSphere Web Client, navigate to Administration > Networking & Security > SpoofGuard.
Select the relevant SpoofGuard policy.
Click on the change button beside IP Detection Type.
Change the Type to None.
Note: This disables the IPv6 link local address to be reported to the NSX Manager by the ESXi.