Firewall rule does not working as expected. IP address(es) may not populate correctly in a NSGroup, which is used in a rule definition, when a vNic is configured with multiple IP addresses.
search cancel

Firewall rule does not working as expected. IP address(es) may not populate correctly in a NSGroup, which is used in a rule definition, when a vNic is configured with multiple IP addresses.

book

Article ID: 383756

calendar_today

Updated On:

Products

VMware NSX VMware vDefend Firewall

Issue/Introduction

  • If a VM is configured with multiple IP addresses on a single vNic and an inventory group is defined using criteria such as the VM name for a firewall rule, traffic may be dropped by a default "DROP" rule.
  • This could override the intended "ALLOW" rule that was meant to permit traffic using the group.

Environment

NSX-T Data Center 3.X

NSX 4.X

Cause

  • When TOFU (Trust On First Use) is disabled and ARP suppression is enabled, the host holding the VM may report the addition and removal of the same ARP-snooped IP with different timestamps.
  • If the events for adding, removing, and re-adding the IP are processed in a single CCP batch, the IP will not be removed, resulting in it becoming stale.
  • This prevents the IP from being recognized on a different port later.

Resolution

This is a known issue impacting VMware NSX.

Workaround:

Two different workarounds. Either works:

1. Manually add missed IP(s) to inventory group (recommended)
2. Restart NSX controller service from all NSX nodes.

  • log into each NSX node, from root shell, issue below command one by one.

    /etc/init.d/nsx-ccp restart

 

Powered by Wolken Software