Segment security profile is blocking DHCP traffic even though DHCP is allowed on the profile.
search cancel

Segment security profile is blocking DHCP traffic even though DHCP is allowed on the profile.

book

Article ID: 393720

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • NSX deployment was upgraded from 3.2.0 to 4.x release. 

  • DHCP Server or DHCP Client block is disabled in the Segment Security Profile that is applied to the segment which the DHCP client or server is connected to:

  • DHCP traffic (either client or server, depending on configuration) is blocked, even though segment security profile allows it. 

  • Counter on VM's switchport indicate increasing drop count:
    1. SSH to the ESXi host with impacted VM.
    2. Find the VM's switchport DVPort ID:
      esxcfg-vswitch -l | grep <vm-name>
      e.g.:

      [[email protected]:~] esxcfg-vswitch -l | grep example
      DVS Name         Num Ports   Used Ports  Configured Ports  MTU     Uplinks
      example_switch   2060        13          512               8900    vmnic1,vmnic0

        DVPort ID                               In Use      Client
        0d80####-####-####-####-########7fd8    1           example.eth0

    3. Read the security statistics on this port, note the "DHCP Block Drop Count"
      nsxdp-cli swsec get stats --dvport <DVPort ID> --dvs-alias <dvs_name>
      e.g.
      nsxdp-cli swsec get stats --dvport 0d80####-####-####-####-########7fd8 --dvs-alias example_switch
      Spoof Guard Ipv4 Drop Count        : 0
      Spoof Guard Ipv6 Drop Count        : 0
      Spoof Guard Arp Drop Count         : 0
      Spoof Guard Nd Drop Count          : 0
      Spoof Guard NonIp Drop Count       : 0
      Ignore List V4 Drop Count          : 0
      Ignore List V6 Drop Count          : 0
      Rate Limit Bcast Tx Drop Count     : 0
      Rate Limit Bcast Rx Drop Count     : 0
      Rate Limit Mcast Tx Drop Count     : 0
      Rate Limit Mcast Rx Drop Count     : 0
      DHCPv4 Server Block Drop Count     : 33
      DHCPv6 Server Block Drop Count     : 0
      DHCPv4 Client Block Drop Count     : 0
      DHCPv6 Client Block Drop Count     : 0
      BPDU Filter Drop Count             : 3
      RA Gurad Drop Count                : 0
      MAC CHADDR Mismatch Count          : 0
      Reassembled Count                  : 0
      Reassembled Drop Count             : 0
      Spoof Guard Ipv4 Drop Bytes        : 0
      Spoof Guard Ipv6 Drop Bytes        : 0
      Spoof Guard Arp Drop Bytes         : 0
      Spoof Guard Nd Drop Bytes          : 0
      Spoof Guard NonIp Drop Bytes       : 0
      Rate Limit Bcast Tx Drop Bytes     : 0
      Rate Limit Bcast Rx Drop Bytes     : 0
      Rate Limit Mcast Tx Drop Bytes     : 0
      Rate Limit Mcast Rx Drop Bytes     : 0
      DHCPv4 Server Block Drop Bytes     : 18986
      DHCPv6 Server Block Drop Bytes     : 0
      DHCPv4 Client Block Drop Bytes     : 0
      DHCPv6 Client Block Drop Bytes     : 0
      BPDU Filter Drop Bytes             : 180
      RA Gurad Drop Bytes                : 0
      MAC CHADDR Mismatch Bytes          : 0
      Reassembled Bytes                  : 0
      Reassembled Drop Bytes             : 0

    4. Using API client of your preference, confirm the configuration of segment which the impacted interface is connected to. 
      Note the UUID of "SwitchSecuritySwitchingProfile"
      GET https://<nsx_manager>/api/v1/logical-switches/<logical-switch-UUID>
      Note the UUID is the hexadecimal ID of the segment.
      e.g. (below is a snippet of the actual return):
      GET https://<nsx_manager>/api/v1/logical-switches/df43####-####-####-####-########rr80
          "switch_type": "DEFAULT",
          "vni": 66562,
          "admin_state": "UP",
          "replication_mode": "MTEP",
          "switching_profile_ids": [
              {
                  "key": "SwitchSecuritySwitchingProfile",
                  "value": "fbc4####-####-####-####-########1888"
              },
              {
                  "key": "SpoofGuardSwitchingProfile",
                  "value": "fad9####-####-####-####-########8ec1"
              },

    5. Confirm UUID of the segment security profile that is applied on the segment. In the payload, we should list UUID of segment security profile which is matching the "SwitchSecuritySwitchingProfile" with the UUID above:
      GET https://<nsx_manager>/api/v1/switching-profiles
    6. If you are having this issue, UUID identified in step 4. is not matching UUID in step 5. 

Environment

VMware NSX

Cause

This issue is introduced during the upgrade where certain properties may not be correctly migrated to the new version. 

Resolution

This issue is resolved in VMware NSX 4.2.2, available at Broadcom downloads.

If you are having difficulty finding and downloading software, please review the Download Broadcom products and software KB.

Additional Information

If you are contacting Broadcom support about this issue, please provide the following:

  • NSX Manager support bundles.
  • ESXi host support bundles for hosts that are failing to configure as transport nodes.
  • Text of any error messages seen in NSX GUI or command lines pertinent to the investigation.

Handling Log Bundles for offline review with Broadcom support

Powered by Wolken Software