Gateway Firewall Does Not Track Connections in NSX when the stateful services are turned off
search cancel

Gateway Firewall Does Not Track Connections in NSX when the stateful services are turned off

book

Article ID: 405288

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

  • Running the following command on the Tier-0 or Tier-1 Gateway returns Connection count: 0:

    • get firewall <interface-UUID> connection raw

       

  • Despite active traffic expected through the gateway, no connections are being tracked by the Gateway Firewall.

  • Sample output
    • edge> get firewall ########-####-####-####-########## connection raw
      Thu Jul ## 20## PDT 09:46:10.290
      Connection count: 0

Environment

  • VMware NSX-T / NSX 4.x
  • Tier-0 or Tier-1 Gateway configured

Cause

The issue occurs when the stateful service is disabled on the Tier-0 or Tier-1 gateway.

In this mode, the Gateway Firewall operates in stateless mode, and hence does not track connection states — resulting in Connection count: 0 even when traffic is flowing.

Resolution

Ensure stateful services are enabled on the Tier-0 or Tier-1 gateway:

Step 1: Check Current Stateful Configuration

    • Navigate to the Tier-0/Tier-1 gateway in the NSX Manager UI.
    • Confirm whether stateful services are enabled.

Step 2: Enable Stateful Services (if disabled)

https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-2/administration-guide/tier-0-gateways/stateful-services-on-tier-0-and-tier-1-gateways/configure-stateful-services-on-tier-0-and-tier-1-gateways.html

Powered by Wolken Software