The traffic does not match the expected L7 rules because of incorrect APP-ID classification by the VDPI engine.

Symptoms:

• Sometimes Incorrect L7 firewall detects incorrect APP_ID.
• The issue is intermittent, with SYN packets being dropped due to incorrect APP-ID classification.
• The flow table output from vsipioctl getflows -f <filter-name> might show that the dropped flow is marked as 'APP_INVALID,' meaning there are no rules to match the incorrectly classified APP_ID, resulting in the default deny being applied with the 'APP_INVALID' reason. In other cases, it might not show 'APP_INVALID.'
• This issue is not specific to a particular APP_ID; it can occur with any L7 rule with any APP_ID.
• The VDPI debug "vsipioctl getdpiinfo -e." shows that the SYN packet itself gets immediately classified with the wrong APP ID. 

NSX-T 4.0.1

NSX-T 4.1.x

Note: This issue is not applicable to NSX-T 3.x releases.

When the flow count limit for a single worker thread is reached, an old flow is expired and that slot is used for the new flow. Under that scenario, the info for the expired flow including the APP ID is being used for the new flow, causing this issue.

The issue is fixed in versions NSX 4.2.1 and 9.0