In rare cases, after an upgrade DFW rules can be applied to an Edge node even though it is included in the exclusion list, causing network traffic to be dropped.
NSX-T 3.x
NSX 4.x
vDefend Firewall
NOTE:
com.vmware.port.extraConfig.security.enable = true , propType = CONFIG
com.vmware.port.extraConfig.opaqueNetwork.id = xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx , propType = CONFIG
com.vmware.port.extraConfig.logicalPort.id = xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx , propType = CONFIG
com.vmware.port.extraConfig.vnic.external.id = xxxxxxxxx-xxxx , propType = CONFIG
Please gather ESXi and NSX Manager logs before proceeding, and open a case with Support to help with root cause determination.
net-dvs -u "com.vmware.port.extraConfig.security.enable" -p <port number> <dvs name>
net-dvs -u "com.vmware.port.extraConfig.opaqueNetwork.id" -p <port number> <dvs name>
net-dvs -u "com.vmware.port.extraConfig.logicalPort.id" -p <port number> <dvs name>
net-dvs -u "com.vmware.port.extraConfig.vnic.external.id" -p <port number> <dvs name>
Where
<port number> <--- see above on how to find that port number
<dvs name> <--- find this value in the first line of 'net-dvs -l'