Multicast traffic drops after a few minutes due to multicast join blocked by NSX distributed/gateway firewall
Article ID: 370947
Updated On:
Products
Issue/Introduction
You have multicast subscriber on NSX Overlay or VLAN backed segments.
There are distributed or gateway firewall rules to allow multicast traffic to the multicast subscriber.
After a short period of time the multicast traffic drops and is not seen on the destination VM.
Restarting the multicast traffic resolves the issue until a short period of time when the traffic is not seen again.
Adding the multicast subscriber VMs to the DFW/Gateway firewall exclusion list resolves the issue.
IGMP Querier is enabled on the router/switch.
The DVS and/or physical switch has IGMP Snooping enabled.
Cause
IGMP protocol packets are necessary to make the multicast traffic work. If they are dropped by the firewall, the multicast forwarding entry cannot be built up in the vswitch, then the multicast traffic will be dropped.
This issue is due to the multicast join request from the destination VM being blocked by the distributed firewall. The IGMP join request (different IP to that of the multicast subscriber IP address) is blocked as it hits a deny rule.
See below example of join packets being dropped by the default deny rule on the ESXi host in /var/log/dfwpktlogs.log (note logging must be enabled on the deny rule - for more information on DFW packet logging see the following documentation: https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/administration/GUID-D57429A1-A0A9-42BE-A299-0C3C3546ABF3.html):
2021-10-30T19:37:09.996Z fcf8b021 INET match DROP 2 IN 36 PROTO 2 0.0.0.0->224.0.0.1
2021-10-30T19:37:09.996Z 81bb092 INET match DROP 2 IN 36 PROTO 2 0.0.0.0->224.0.0.1
2021-10-30T19:37:09.996Z 5384811 INET match DROP 2 IN 36 PROTO 2 0.0.0.0->224.0.0.1
Note: The above log lines are for reference purposes only.
Resolution
Create a distributed firewall rule to allow the IGMP join IP addresses which are in the range 224.0.0.0 to 239.255.255.255 range.
Feedback
