DFW stateful firewall rules drop IPv6 traffic
search cancel

DFW stateful firewall rules drop IPv6 traffic

book

Article ID: 345855

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • VMs may not be able to re-establish a TCP connection until the TCP timeout period expires. The default value is 120 seconds when stateful distributed firewall (DFW) rules are configured on NSX.
  • This is a known issue on all versions of NSX-T up to 3.1.0.

Environment

VMware NSX-t

Cause

After TCP SYN packets are sent out and before a TCP SYN packet is received, the VM closes the existing TCP connection and starts a new TCP connection with the following conditions:

  • Using the same source and destination port
  • The TCP sequence number of the new TCP connection is outside of TCP window of the old TCP window (i.e. TCP sequence number + TCP send window size)

 Some of the reasons the VM closing the TCP connection are:

  • The destination MAC address of the TCP SYN packets is changed
  • The VM does not receive a TCP SYN after its SYN retry limit is reached
  • Stateful DFW drops the TCP SYN packets of the new connection because the sequence number is outside the allowable window, as determined by the original SYN packet.

Resolution

For NSX-T, upgrade to 3.1.0 or later version.

Workaround:
Reduce the default TCP timeout value from120 seconds.

Please refer to the administration guide for steps to create a new session timer profile.

 
 

Additional Information

Impact/Risks:
Certain customer applications may fail if TCP connections cannot be re-established within a few seconds. One of the examples is Netapp filers. A TCP connection is used to connect to a Netapp filer. During a failover from an active to standby Netapp filer, a new TCP connection cannot be established to the filer until the previous session’s connection times out. This can cause data loss to the filer.

Powered by Wolken Software