• You are using stateful Firewall rules in DFW.
• You have configured the Transport node's host switches with Enhanced Datapath mode.
• You observe in packet captures that TCP packets are present in the Pre DvFilter capture but are not present in the POST DvFilter capture.
  • You may observe a TCP RESET packet present in the Pre DVFilter capture but not present in the POST DvFilter capture, causing timeouts on applications.
• You observe while checking the VM filter stats using command vsipioctl getfilterstats -f <filterID> that the drop reason "seqno outside of window" increments.

DROP REASON

-----------

state-insert:         21

strict no syn:        2

match drop rule rx packets: 1917762

match drop rule tx packets: 29231

state-mismatch:       256

  seqno outside window: 209            <<<<<<<<<<


  seqno gt maxack:      170

NOTE: The preceding log excerpts are only examples. Date, time and environmental variables may vary depending on your environment.

VMware NSX

VMware NSX-T Data Center

• All IP length need to be modified to TCP payload length.
• Ethernet frame can be padded if the size is too small.
• Calculating IP length using ethernet frame length becomes inaccurate.
• When the Ethernet Frame is padded, the TCP payload length is calculated incorrectly, causing the packet to violate TCP state checks, resulting the packet being dropped.

This issue is resolved in VMware NSX 4.2.1.1, available at Broadcom downloads.

If you are having difficulty finding and downloading software, please review the Download Broadcom products and software KB. 

Workaround:

• Traffic will not be dropped by DFW if you create a stateless rule.
• Traffic will not be dropped while using standard switch mode while preparing the transport node with NSX-T.