ESXi Host experiencing PSOD on nsxt-vsip module with "pf_fqdn_domain_uuid_add : empty key"
search cancel

ESXi Host experiencing PSOD on nsxt-vsip module with "pf_fqdn_domain_uuid_add : empty key"

book

Article ID: 374611

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention VMware NSX

Issue/Introduction

Issue:

  • Environment is on NSX 4.2.0
  • Security Intelligence deployed and/or stateful L7 DFW rules are configured.
  • ESXi hosts may experience PSOD:
 

 

Error: pf_fqdn_domain_uuid_add : empty key

Module(s) involved in panic [nsxt--vsip-24105819-version 1.0.0-0 RELEASEBuild-241058191

 

Environment

NSX 4.2.0

 

Cause

When Security Intelligence is deployed and/or stateful L7 DFW rules are configured, packets are sent to the vDPI engine for further inspection. In 4.2.0, if the vDPI engine receives a DNS response with an empty domain string it does not process it correctly and crashes. 

Resolution

Permanent Fix:

The issue is resolved in NSX 4.2.0.1 Express Patch and later releases.

 
Temporary Workaround:
 
Add stateless L4 DNS rules to prevent DNS traffic from reaching the vDPI engine and causing the crashes. 
 
Important: Ensure no other policies / rules are configured above the L4 DNS stateless rules.
 
Please note that L7 FQDN filtering rules will no longer function after implementing this workaround
 
Navigate to Security > Distributed Firewall and add a new Policy along with two DNS rules (one for each direction) under the Emergency category:
 

To make the policy stateless, click the settings button next to the policy and switch "Stateful" to No. 

 
 
Publish the changes. 
 
 
Powered by Wolken Software