IDS/IPS/L7 DFW (Distributed Firewall) does not process any packets because no VDPI channel is created
search cancel

IDS/IPS/L7 DFW (Distributed Firewall) does not process any packets because no VDPI channel is created

book

Article ID: 380656

calendar_today

Updated On:

Products

VMware NSX VMware vDefend Firewall

Issue/Introduction

IDS, IPS, or L7 DFW does not process any packets. For any processing of IDS, IPS or L7 DFW packets it is necessary for a host to have VDPI channels up and running. 

To verify if a host hits this problem, ssh to an ESXi host.

1. Run "vsipioctl getdpiinfo -s" to check dvfilteruser stats. If a ESXi hosts encounters this problem, either there is no output or vdpi_in, vdpi_out, ids_in, and ids_out counters will stop incrementing.

=== dvfilteruser stats ===
bitmap_set: 0
libdvfuser_in: 0
libdvfuser_out: 0
vdpi_in: 0
vdpi_out: 0
ids_in: 0
ids_out: 0

Alternatively, run "vsish -e ls /net/dvFilter/slowpaths" to check any VDPI channels exists on the ESXi host. If there is no VDPI channels in a host, the command will just return you back to the prompt without any output 

2. To further confirm if the channel is getting created or not, you can restart VDPI process using command "/etc/init.d/nsx-vdpi restart" by logging into the ESXi host as root via ssh session and examine the logs at /var/run/log/vmkernel.log. If the message like below is present in the logs, then it indicates that the host is unable to bring up the VDPI channel 

dvfilterUser DU_AllocMPNs:44: Unable to create MPN mem pool Out of memory
dvfilterUser DU_CreateShm:121: Failed to allocate MPNs from shared memory mempool num_pages 2048

Environment

VMware NSX. IDS, IPS, or L7 DFW is configured.

Cause

Because of memory fragmentation, the largest contiguous memory block may be less than 2M. If VDPI process restarts for any reason and, DVFilter is unable to allocate memory, VDPI channel creation fails. 

 

Resolution

vMotion all VMs away from the host and reboot the host.