Multiple DFW flood limit alarms are being triggered on a host
search cancel

Multiple DFW flood limit alarms are being triggered on a host

book

Article ID: 409742

calendar_today

Updated On:

Products

VMware vDefend Firewall

Issue/Introduction

 
Multiple DFW flood limit alarms are being triggered on a host where the flood protection profile is not enabled.
 
Example: The DFW flood limit for DFW filter nic-XXXX-ethx-vmware-sfw.2 on host #### has reached warning level of 80% of the configured limit for protocol UDP.
 
The customer initially enabled flood protection, and within a few minutes, several “DFW Flood Limit Critical/Warning” alarms were triggered on the NSX Manager. Although the customer rolled back the changes and disabled flood protection, the alarms continue to appear on the NSX Manager.
 
Host statistics observed:
 
/bin/vsipioctl getfloodstat -f nic-XXXX-ethX-vmware-sfw.2
 
UDP:
    Flood Protection : disabled >>> Protection is Disabled.
    Active UDP Flows = 94
 
Even after disabling flood protection and clearing all open alarms from the NSX UI, the issue persists. Flood limit warnings continue to be generated on the NSX UI for multiple hosts after some time.

Environment

VMware vDefend Firewall

Cause

Flood protection alarm implementation doesn't handle clearing/resolving of alarms when the flood protection config is deleted. So, it continues to stay in open state.  Even if you resolve it, as part of alarm sync logic, alarm gets raised again as the alarm implementation still thinks that alarm is in "raised" state.

Resolution

Fix targeted for a future NSX release.

Additional Information

The following workaround can be applied to mitigate this behavior:

1. ssh into ESX root shell,
2. execute command: /etc/init.d/nsx-cfgagent restart,
3. Manually resolve any outstanding alarms from the NSX UI. No new flood protection alarms should appear afterward.

Note: This action does not impact traffic. It may cause only a brief interruption to the configuration path, if any.

Powered by Wolken Software