Intermittent TCP connection failures observed from VMs using SNAT through NSX Edge.

Client receives RST packets unexpectedly during new TCP session establishment.

Packet captures from Edge show RST packets sourced with the VM’s private IP instead of the SNAT IP.

VMware NSX T

The issue occurs due to rapid reuse of ephemeral source ports by the VM operating system.

When a new TCP connection is initiated with the same 5-tuple (source IP, source port, destination IP, destination port, protocol) within milliseconds of the previous connection entering a CLOSING state, the Edge prematurely reuses the old connection’s state entry.

This results in the Gateway Firewall treating the new SYN as part of the old flow.

When the server responds with a SYN-ACK for this “new” connection, the Edge detects a state mismatch and generates a TCP RST packet towards the client, causing the connection failure.

This is an expected behavior for Edge Gateway Firewall.

Resolution suggestion is outlined in the following KB NSX Gateway Firewall on T0/T1 Causing TCP Drops with Load Balancer