vMotion fails with DFW vMotion Failure Alarm - "The DFW vMotion for DFW filter nic-##########-eth0-vmware-sfw.2 on destination host **** has failed and the port for the entity has been disconnected."

search cancel

vMotion fails with DFW vMotion Failure Alarm - "The DFW vMotion for DFW filter nic-##########-eth0-vmware-sfw.2 on destination host **** has failed and the port for the entity has been disconnected."

book

Article ID: 389754

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

When attempting vMotion to another host, the VM experiences vMotion Failure and an alarm is generated in NSX - "The DFW vMotion for DFW filter nic-##########-eth0-vmware-sfw.2 on destination host **** has failed and the port for the entity has been disconnected."

The following errors are observed in vmkernel.log on the ESXi host

Importing state to nic-xxxx -vmware-sfw.X rejected: global addrsets already enabled (0xe46)

In both NSX-T 3.x and 4.x versions, you can find the following errors in nsx-syslog on the ESXi hosts

dfw: ReportEvent: Succeeded to raise dfw vmotion failure alarm for filter nic-**********-eth0-vmware-sfw.2.

The DFW vMotion for DFW filter nic-**********-eth0-vmware-sfw.2 on destination host **** has failed and the port for the entity has been disconnected.

Environment

NSX-T Data Center 3.x
NSX-T Data Center 4.x

Cause

This is a timing issue of the following two processes, and it may occur if a vMotion and DFW configuration update happen at the same time:

A DFW firewall rule event (create or update) is sent from NSX Manager to the ESXi host, and the host is in the process of importing the updated firewall rules.
Simultaneously, a vMotion operation involving firewall rule attachment is in progress on the target host.

Resolution

This issue is fixed by ESXi 7.0.3 P10 and ESXi 8.0.3.0 P06
If the hosts are already on a fixed ESXi version, then review https://knowledge.broadcom.com/external/article/404061 as this issue can cause this same alert.

Workaround:

Perform another vMotion of the affected VM to a less loaded host.
Disable the virtual machine's NIC (Network Adapter) from the VM's [Configure & Edit] menu, then re-enable it in vCenter.
Republish the DFW policy
- To republish a DFW rule, you need to make a change to the rule or its settings.
- Please modify a parameter that won’t affect traffic, such as adding a comment or turning off logging, and then perform the publish operation.
- Once the DFW policy has been republished, restore the modified settings to their original values and republish the policy again

If you can stagger the timing of firewall-related operations and vMotion, you can minimize the risk of this timing issue.

Additional Information

The DFW vMotion Failure alarm is implemented in NSX-T 3.2 or later.

Feedback

thumb_up Yes

thumb_down No