VM port blocked state on NSX segment prevents connectivity
search cancel

VM port blocked state on NSX segment prevents connectivity

book

Article ID: 405110

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

A virtual machine appears in a blocked state on an NSX segment port and is not visible in the NSX Manager segment ports view. The affected VM cannot establish network connectivity despite being configured identically to other functional VMs on the same segment. The VM shows as connected to the NSX segment in vCenter but does not appear in the NSX segment port listings.

Issues that may be observed:

  • VMs on NSX segments have lost connectivity.

Error messages may include:

  • Port showing as "blocked" status in ESXi diagnostics
  • VM not appearing in NSX Manager segment port view
  • Network connectivity failures from the affected VM

Steps to validate the issue:

  • Check ESXi host where the VM is running using net-dvs -l | grep -E "port |port.block|volatile.vlan|volatile.status"
  • Verify output shows "Port blocked by admin" status
  • Confirm VM is assigned to NSX segment in vCenter but missing from NSX Manager ports view
  • Validate other VMs on the same segment are functioning normally

Environment

  • VMware NSX-T Data Center 3.x
  • VMware NSX 4.x
  • VMware vSphere ESXi
  • VMware vCenter Server

Cause

The issue occurs when the VM network port is blocked at the VDS level on the ESXi host, combined with NSX Manager cluster health issues that prevent proper port state synchronization. Critical services on NSX Manager nodes may be in a down state, preventing the cluster from properly managing and displaying port states across the environment.

Resolution

Step 1: Identify the blocked port

  1. SSH to the ESXi host where the affected VM is running
  2. Identify the VDS name and PortUUID: 
    esxcfg-vswitch -l
  3. Match port numbers with VM network adapters: 
    net-stats -l
  4. Confirm the blocked status: 
    net-dvs -l | grep -E "port |port.block|volatile.vlan|volatile.status"
    Look for output showing "Port blocked by admin" status.

Step 2: Unblock the VM port

  1. Execute the unblock command using the values identified in Step 1: 
    net-dvs -s com.vmware.common.port.block=false <VDS-Name> -p <PortUUID>
    Note: Replace <VDS-Name> with the actual VDS name and <PortUUID> with the port UUID from Step 1.
  2. Verify the change in vSphere Client
    • Navigate to the host's networking configuration
    • Check that the port no longer shows as blocked
    • Refresh the view if necessary

Step 3: Check NSX Manager cluster health

  1. Access NSX Manager interface and navigate to System > Appliances
  2. Check cluster status by running: 
    get cluster status
  3. If critical services are down on any manager node:
    • Reboot the affected NSX Manager node
    • Wait for all services to come back online
    • Verify cluster health returns to normal

Step 4: Refresh VM network state

  1. Perform a vMotion of the affected VM to another host
    • This refreshes the network adapter state
    • Ensures proper synchronization between ESXi and NSX Manager
  2. Verify resolution:
    • Check that the VM now appears in NSX Manager segment ports view
    • Navigate to Networking > Segments > Select the segment > Ports
    • Confirm the VM port is listed and shows as "Up"
  3. Test connectivity from the VM to confirm network functionality is restored

Important: If the error persists after following these steps, contact Broadcom Support for further assistance.

Powered by Wolken Software