Traffic does not match the configured Firewall rule briefly during the vMotion for VM's on the vSphere DVPG
search cancel

Traffic does not match the configured Firewall rule briefly during the vMotion for VM's on the vSphere DVPG

book

Article ID: 401532

calendar_today

Updated On:

Products

VMware vDefend Firewall

Issue/Introduction

During a vMotion event, VMtools may temporarily withdraw the IP-to-port binding, even though the IP remains configured on the VM's network interface. During this brief time appropriate DFW rules may not be enforced to the VM.

Environment

VMware NSX: 3.x. and 4.x (This issue only impacts the VM's on DVPG)

Cause

This issue is caused by the behavior of VMtools-based IP discovery during vMotion events. When a VM is migrated, VMware Tools temporarily withdraws the IP-to-port binding and re-reports it after the migration completes.

Resolution

Use NSX VLAN-backed or Overlay segments that have vMotion awareness which delays the removal of IP address.

Powered by Wolken Software