IDS, IPS, or L7 DFW does not process any packets. For any processing of IDS, IPS or L7 DFW packets it is necessary for a host to have VDPI channels up and running.
To verify if a host hits this problem, ssh to an ESXi host.
1. Run "vsipioctl getdpiinfo -s" to check dvfilteruser stats. If a ESXi hosts encounters this problem, either there is no output or vdpi_in, vdpi_out, ids_in, and ids_out counters will stop incrementing.
=== dvfilteruser stats ===
bitmap_set: 0
libdvfuser_in: 0
libdvfuser_out: 0
vdpi_in: 0
vdpi_out: 0
ids_in: 0
ids_out: 0
Alternatively, run "vsish -e ls /net/dvFilter/slowpaths" to check any VDPI channels exists on the ESXi host. If there is no VDPI channels in a host, the command will just return you back to the prompt without any output
2. To further confirm if the channel is getting created or not, you can restart VDPI process using command "/etc/init.d/nsx-vdpi restart" by logging into the ESXi host as root via ssh session and examine the logs at /var/run/log/vmkernel.log. If the message like below is present in the logs, then it indicates that the host is unable to bring up the VDPI channel
dvfilterUser DU_AllocMPNs:44: Unable to create MPN mem pool Out of memory
dvfilterUser DU_CreateShm:121: Failed to allocate MPNs from shared memory mempool num_pages 2048
VMware NSX. IDS, IPS, or L7 DFW is configured.
Because of memory fragmentation, the largest contiguous memory block may be less than 2M. If VDPI process restarts for any reason and, DVFilter is unable to allocate memory, VDPI channel creation fails.
vMotion all VMs away from the host and reboot the host.