If a VM is configured with multiple IP addresses on a single vNic and an inventory group is defined using criteria such as the VM name for a firewall rule, traffic may be dropped by a default "DROP" rule. This could override the intended "ALLOW" rule that was meant to permit traffic using the group.

All VMware NSX releases before 9.0.0.

When TOFU (Trust On First Use) is disabled and ARP suppression is enabled, the host holding the VM may report the addition and removal of the same ARP-snooped IP with different timestamps. If the events for adding, removing, and re-adding the IP are processed in a single CCP batch, the IP will not be removed, resulting in it becoming stale. This prevents the IP from being recognized on a different port later.

Solution:

The issue will be fixed in NSX version 9.0.0.

Note: NSX 9.0.0 General Availability ETA is 03/25/2025.

Workaround:

Two different workarounds. Either works:

1. Manually add missed IP(s) to inventory group (recommended)
2. Restart NSX controller service from all NSX nodes.

• log into each NSX node, from root shell, issue below command one by one.
  
  /etc/init.d/nsx-ccp restart