vMotion fails with DFW vMotion Failure Alarm - "The DFW vMotion for DFW filter nic-##########-eth0-vmware-sfw.2 on destination host **** has failed and the port for the entity has been disconnected."
search cancel

vMotion fails with DFW vMotion Failure Alarm - "The DFW vMotion for DFW filter nic-##########-eth0-vmware-sfw.2 on destination host **** has failed and the port for the entity has been disconnected."

book

Article ID: 389754

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

  • When attempting vMotion to another host, the VM experiences vMotion Failure and an alarm is generated in NSX - "The DFW vMotion for DFW filter nic-##########-eth0-vmware-sfw.2 on destination host **** has failed and the port for the entity has been disconnected."

  • The following errors are observed in vmkernel.log on the ESXi host
    Importing state to nic-xxxx -vmware-sfw.X rejected: global addrsets already enabled (0xe46)
  • In both NSX-T 3.x and 4.x versions, you can find the following errors in nsx-syslog on the ESXi hosts
    dfw: ReportEvent: Succeeded to raise dfw vmotion failure alarm for filter nic-**********-eth0-vmware-sfw.2.

    The DFW vMotion for DFW filter nic-**********-eth0-vmware-sfw.2 on destination host **** has failed and the port for the entity has been disconnected.

Environment

  • NSX-T Data Center 3.x
  • NSX-T Data Center 4.x

Cause

This is a timing issue of the following two processes, and it may occur if a vMotion and DFW configuration update happen at the same time:

  • A DFW firewall rule event (create or update) is sent from NSX Manager to the ESXi host, and the host is in the process of importing the updated firewall rules.

  • Simultaneously, a vMotion operation involving firewall rule attachment is in progress on the target host.

Resolution

  • This issue is fixed by ESXi 7.0.3 P10 and ESXi 8.0.3.0 P06

Workaround:

  • Perform another vMotion of the affected VM to a less loaded host.
  • Disable the virtual machine's NIC (Network Adapter) from the VM's [Configure & Edit] menu, then re-enable it in vCenter.
  • Republish the DFW policy 
    • To republish a DFW rule, you need to make a change to the rule or its settings.
    • Please modify a parameter that won’t affect traffic, such as adding a comment or turning off logging, and then perform the publish operation.
    • Once the DFW policy has been republished, restore the modified settings to their original values and republish the policy again

If you can stagger the timing of firewall-related operations and vMotion, you can minimize the risk of this timing issue.

Additional Information

The DFW vMotion Failure alarm is implemented in NSX-T 3.2 or later.

Powered by Wolken Software