IPv4 IP address do not get auto approved when SpoofGuard policy is set to Trust On First Use (TOFU)
search cancel

IPv4 IP address do not get auto approved when SpoofGuard policy is set to Trust On First Use (TOFU)

book

Article ID: 339159

calendar_today

Updated On:

Products

VMware NSX Networking

Issue/Introduction

Symptoms:
  • IPv4 address do not get auto approved when SpoofGuard policy is set to Trust On First Use (TOFU)
  • IPv6 address link local address gets auto approved, IPv4 address must be manually approved


Environment

VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.2.x

Cause

This issue occurs due to these conditions:
  • The NSX Manager Trust On First Use (TOFU) does not take in to account both IPv4 and IPv6 separately and allocates only one address as a TOFU address.
  • The IPv6 address is reported to the NSX Manager from the hypervisor before the IPv4 address. This explains why the IPv6 address is the one marked as TOFU in the vSphere Web Client SpoofGuard management console.

Resolution

This issue is resolved in VMware NSX for vSphere 6.3.0, available at VMware Downloads.

To work around this issue if you do not want to upgrade, apply one of these workarounds:

Workaround 1: When SpoofGuard is enabled, deselect local addresses.
  1. In the vSphere Web Client, navigate to Administration > Networking & Security > SpoofGuard.
  2. Select the relevant SpoofGuard policy.
  3. Click on the pencil icon which opens the Edit Policy wizard.
  4. Uncheck the Allow local address (169.254.0.0/16) and fe80::/64) as valid address in this namespace.
  5. Click Next.
  6. Click Finish.

    Note: This option does not guarantee that an IPv6 address would not be reported before the IPv4 address, this option is only effective if IPv6 is not configured or required for the virtual machine.

Workaround 2: Disable IP discovery (set it to None).

  1. In the vSphere Web Client, navigate to Administration > Networking & Security > SpoofGuard.
  2. Select the relevant SpoofGuard policy.
  3. Click on the change button beside IP Detection Type.
  4. Change the Type to None.

    Note: This disables the IPv6 link local address to be reported to the NSX Manager by the ESXi.


Additional Information