Datapath impact is observed when the Service insertion is enabled on NSX.
search cancel

Datapath impact is observed when the Service insertion is enabled on NSX.

book

Article ID: 380264

calendar_today

Updated On:

Products

VMware vDefend Firewall

Issue/Introduction

Issue: Application is not loading/communicating when the nsx traffic is forwarded to the Vendor SVM with the SI redirection is enabled(ex:IPS)

Confirm that the application loads as expected when the EW-SI is disabled.
However, once the redirection is enabled- the application breaks and it is unable to load or not working as expected. 
 
Symptoms:
If you observe the ping is working well between the source and the destination while the actual application data is having issues when the traffic is redirected.
 
One of the possible reasons could be MTU mismatch on the SVM:
  • verify the SI configuration.
  • check the MTU value is set between the Vendor's SVM interface that communicates with the Host TEP.

 

Environment

NSX Datacenter

Cause

One of the possibility could be that the MTU is not meeting the NSX requirements on the Vendor's VM(SVM).

https://docs.vmware.com/en/VMware-NSX/4.1/installation/GUID-19C1973E-8D20-4302-B3CC-CD610F79D5F6.html

Resolution

We will need to reconfigure the MTU settings on the vendor's SVM to ensure they meet the required MTU for proper communication with the Host TEP.