DFW rules are not applied after vmotion on a NSX security only install
search cancel

DFW rules are not applied after vmotion on a NSX security only install

book

Article ID: 373356

calendar_today

Updated On:

Products

VMware vSphere ESXi VMware vSphere ESXi 7.0

Issue/Introduction

Communications might be dropped by DFW because IP bindings are missing.

IP addresses discovered by VMware Tools are retained, so communication using these IP addresses is not affected

The problem can be validated from ESXi vmkernel logs:

Working case:

Restore function is called


2024-01-04T14:02:59.646Z In(182) vmkernel: cpu1:1000286072)swsec: SwSecVmotionRestore:146: [nsx@6876 comp="nsx-esx" subcomp="swsec-23058814"]SwSec Restoring VMotion data, Port: 0x6000028                                                                              
2024-01-04T14:02:59.646Z In(182) vmkernel: cpu1:1000286072)SwSecMigrationRestoreTlv:1609:[nsx@6876 comp="nsx-esx" subcomp="swsec-23058814"]SwSec migration restore for Port: 0x6000028, bufLen: 406, elapsedMS: 2809, version: TLV 

 

non-working case, restore function is not called

log$ less vmkernel.log | grep -i SwSecVmotionRestore

log$

Environment

NSX-T security only deployment 

ESXi version prior to v7.0 Update 3q is impacted 

 

Cause

After a NSX Distributed Security installation, vSphere vMotion might not restore a switch security filter on the destination ESXi host. IP addresses discovered by ARP/ND/DHCP snooping are not restored after vMotion. Communications might be dropped by DFW because IP bindings are missing.  

Resolution

Issue is resolved on VMware ESXi 7.0 Update 3q | Build 23794027

Workaround:

vMotion impacted VM to different ESXi host can recover connectivity issue as IP is discovered again 

Powered by Wolken Software