Expired DFW Time-Based Policy causes dropped packets
search cancel

Expired DFW Time-Based Policy causes dropped packets

book

Article ID: 415907

calendar_today

Updated On:

Products

VMware NSX VMware vDefend Firewall

Issue/Introduction

VM's start to drop traffic unexpectedly.
DFW rule 15336 doesn't show traffic being passed as it once did and is observed to have a green highlighted Timer on the Policy.(In Red) 



Environment

NSX DFW

Cause

When a DFW policy has Time-Based Window activated, its possible the time-window has expired or outside the accepted time frame. 
Here you can see the once light blue color timer is now green on the distributed firewall policy.

Resolution

To confirm and remove the Time-Based rule first click on the green timer in the policy, this will open Time Window

Observations showing the Time-Based-Window activated

  • Purple boarder around "Selected: Time-Base-Window"
  • Filled light blue radio button
  • Where used shows at least 1 or more
  • The "Clear Selection" lettering in light blue (When deactivated it shows in grey and unelectable)


We can see the session timer has expired as it's passed the date current set in the Time Window and is the cause to dropped packets. 

To remove this session timer click the "Clear Selection" and click apply. This will show all the observed activations removed.



Finish removing the timer-window by publishing the changes.
The window timer is now back to light blue and no sessions applied to the policy


Proper VM traffic is now restored. 

Additional Information

How to observe more ways a Time-Base Window is applied to DFW policy. 

Root into ESX host
Run #~ summarize-dvfilter | grep -i "VM-Name" -A9
Copy out slot-2 Name > nic-#######-eth0-vmware-sfw.2

Run #~ vsipioctl getrules -f nic-#######-eth0-vmware-sfw.2
Shows with timer applied and activated on rule ID 15336
rule 15336 at 6 inout protocol tcp from addrset UUID-Number-Security-Group1 to addrset UUID-Number-Security-Group2 port 53 with time attribute profile UUID-Number-Timer-Profile accept with log tag 'Timer-Test' active;

Run #~ vsipioctl getrules -f nic-#######-eth0-vmware-sfw.2
Doesn't show "time attribute profile" applied after removing timer window
rule 15336 at 6 inout protocol tcp from addrset UUID-Number-Security-Group1 to addrset UUID-Number-Security-Group2 port 53 accept with log tag 'Timer-Test';

This could also be seen or searched in Aria for a broader approach. 

Powered by Wolken Software