Network connectivity issue after upgrade to VMware NSX 4.X when Gateway Firewall and NAT is in use.
Article ID: 376943
Updated On:
Products
Issue/Introduction
- VMware NSX 4.X Networking and Security is in use.
- After upgrade from NSX-T 3.X to NSX 4.X connectivity is lost from the T0 or T1 router.
- Gateway Firewall and NAT is in use on the impacted T0 or T1.
- The environment upgrade history includes NSX-T 3.1.X
- Checking the configuration of the default gateway firewall policy in the UI illustrates the policy is Stateless.
Environment
- VMware NSX-T Data Center 3.X
- VMware NSX 4.X
- vDefend Firewall
Cause
This is a known issue impacting VMware NSX 4.X environments where the upgrade path included from NSX-T 3.1.X
In NSX-T 3.1.X there is a discrepancy between the policy and manager for the stateless/stateful state of the default firewall rules section for a gateway firewall. While the policy manager mode illustrates the default gateway firewall policy is Stateless the manager section shows the section as being Stateful. The rules on the T0/T1 firewall interface reflect the Stateful state as per the manager view.
After upgrade this discrepancy is rectified and the manager section is changed to reflect the policy setting. The rules on the edge node now operate in a Stateless manner.
Due to this state change from Stateful to Stateless there can be issue when NAT is in use leading to connectivity issues.
Resolution
There are 2 workaround for this issue:
1:As per the administration guide (https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-2/administration-guide/network-address-translation/nat-and-gateway-firewall.html) when a Stateless policy is in use a NO-SNAT for the advertised route addresses is required. Add the appropriate NO-SNAT rules.
Note: This is required on a T0 and/or T1 where gateway firewall and NAT is in use.
2: Create a new Stateful policy above the default policy, matching the default policy rules.
Feedback
