IPs missing from addrsets on ESX hosts leading to connectivity issues between VMs
Article ID: 386567
Updated On:
Products
Issue/Introduction
VMs are a part of the same dynamic group created on the NSX Manager. IP address of one of the VMs is missing in the addrset part of a DFW rule on the ESXi host. This results in communication was failing between the VMs as the traffic is dropped by the default DROP / DENY rule.
Below is an example on how to verify the issue:
1. To check the addrset for a filter, run the following command on the host:
vsipioctl getaddrsets -f <filter name>
2. Then, find the appropriate addrset in the output and compare it between the working and non-working hosts.
a. In the working host:
addrset XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX {
# generation number: 0
# realization time : 2025-01-08T17:41:54
ip 10.10.10.10,
ip 20.20.20.20,
ip 30.30.30.30,
b. However, in the non-working host the IP '30.30.30.30' is missing from the same addrset:
addrset XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX {
# generation number: 0
# realization time : 2025-01-08T17:24:30
ip 10.10.10.10,
ip 20.20.20.20,
Environment
VMware NSX 4.1.2.3
Cause
There is a container update on the host:
This can be verified in the Host syslog file by using the command: var/run/log/nsx-syslog
2025-01-07T20:13:38.069Z In(182) cfgAgent[2100393]: NSX 2100393 - [nsx@6876 comp="nsx-controller" subcomp="cfgAgent" tid="XXXXXXX" level="info"] LB: Found old container: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX in cache, update it ====>>> Similar log message reflecting the container/addrset update might appear on the affected host.
Resolution
Find out the controller IP address associated with the affected host by running the below command on the host:
esxcli network ip connection list | grep 1235
Once the associated controller is Identified, then login to the respective controller as admin and restart the controller service by running the below command:
restart service controller
Feedback
