• NSX-T version 4.2.3 and earlier, or version 9.0 is used.
• The user is using a L7 DFW rule with context profile/APP_ID "MS_SQL"
• The user experiences intermittent connectivity issues when communicating with the MS SQL server.
• The user observes in log file /var/run/log/dfwpkt.log that UDP traffic for port 1434 is does not match the L7 rule, getting potentially dropped.

2025-06-23T11:29:17.456Z 2b39361c INET match DROP 2 OUT 48 UDP 192.168.0.10/52480->192.168.0.20/1434 

2025-06-23T11:29:18.606Z 2b39361c INET match DROP 2 OUT 48 UDP 192.168.0.10/52481->192.168.0.20/1434 

• The VDPI debug displays the APP_ID being classified is MS_SSRP.
  • Please engage Broadcom support for assistance enabling VDPI debug log. 
  • Output of debug log can be found in /var/run/log/nsx-syslog.log

2025-06-23T11:29:17.655Z vdpi[73865833]: NSX 73865833 - [nsx@6876 comp="nsx-esx" subcomp="nsx-vdpi" tid="73865899" level="DEBUG"] Classification path:  base.ip.udp.ms_ssrp

• While enabling debug log for vsip, "failed to match key APP_ID" is observed in log file /var/run/log/vmkernel.log
  • Please engage Broadcom support for assistance enabling vsip debug log.

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

VMware NSX 4.2.X

VMware vDefend

• UDP MSSQL traffic is not hitting the intended L7 DFW rule due to APP_ID MS_SSRP not being exposed in NSX-T.

• This issue will be fixed in future releases of NSX-T.
• A L4 DFW rule may be used to mitigate traffic drop until the APP_ID MS_SSRP is exposed in future release.