• The impacted VMs are on an NSX Overlay Segment 
• The issue is intermittent and East-West communication is impacted
• Promiscuous mode is used to direct the BUM traffic into the Edge vNic 
• Packet captures suggest that the Geneve encapsulated packets are forwarded to the L2 Bridge Edge TEP instead of destination ESXi TEP

VMware NSX

For bridging to work properly, frames that are destined for VM MAC addresses that are not directly attached to the VSS/VDS must be delivered to the Edge Bridge VM. The "ReversePathFwdCheckPromisc" setting is a critical parameter that controls how packets are processed in promiscuous mode. If this setting is misconfigured or if promiscuous mode is not enabled on the necessary interfaces, it can result in dropped packets or intermittent broken connectivity between virtual machines on the segment. 

There are multiple options to configure L2 Bridging in a NSX-T Environment (refer to additional information below) - For EDGE VM on a VDS Portgroup , we need to follow the below steps. 

• Set promiscuous mode on the portgroup
• Allow forged transmit on the portgroup 
• Run the following command to enable reverse filter on the ESXi host where the EDGE Bridge VM is running "esxcli system settings advanced set -o /Net/ReversePathFwdCheckPromisc -i 1" 
• Then disable and enable promiscuous mode on the portgroup 

NOTE : Make sure  "/Net/ReversePathFwdCheckPromisc"  is set on every ESXi hosts where the EDGE Bridge VM may reside. If the EDGE Bridge VM migrates to a Host where "/Net/ReversePathFwdCheckPromisc" is NOT set, then the bridging may drop packets or break connectivity intermittently 

Configure an Edge VM for Bridging in Manager Mode

Duplicate Multicast or Broadcast Packets are Received by a Virtual Machine

How promiscuous mode works at the virtual switch and portgroup levels