dfwpktlogs show DROP for incoming packets, when nic bonding is enabled on the guest VM
search cancel

dfwpktlogs show DROP for incoming packets, when nic bonding is enabled on the guest VM

book

Article ID: 411588

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

  • In dfwpktlogs, for a VM, it is observed that there is a flow logged for the outgoing packet via a vnic VIF ID
    • Example: 
      • 2025-09-12T17:25:53.891Z No(13) FIREWALL-PKTLOG[2108423]: ######31 INET match PASS 1111 OUT 60 TCP 10.10.33.2/34111->10.164.17.14/8080 S <=== Outgoing packet logged as PASS on VIF ID ending in 31
  • However, there is a flow logged for the incoming packet with same Src IP / Port & Dest IP / Port on a different vnic VIF ID for the same VM
      • 2025-09-12T17:25:53.896Z No(13) FIREWALL-PKTLOG[2108423]: ######74 INET match DROP 1112 IN 60 TCP 10.164.17.14/8080->10.10.33.2/34111 SA <=== Incoming packet logged as DROP on VIF ID ending in 74
  • This happens when nic bonding is enabled (using LACP) on the guest VM 
  • There is no impact to the traffic as the incoming packet is also sent over the vnic where the traffic originated. The DROP is only for the incoming packet on the second vnic.

Environment

VMware NSX

vDefend Firewall

VMs with nic bonding enabled on the Guest OS

Resolution

As mentioned in this KB , Running LACP inside any guest OS (including nested ESXi hosts) is not supported. It is recommended to the use the feature on the ESXi's vSphere Distributed Switch (VDS) to bond physical NICs on the host for increased bandwidth and availability.

Additional Information

For more info on the dfwpktlogs format, review this doc.

For more info on LACP support, review this KB.

Powered by Wolken Software