Egress traffic from a VM in NSX environment works but Ingress from physical towards the VM (North-South routing) fails
Article ID: 417974
Updated On:
Products
Issue/Introduction
- Issue with a VM which had Egress traffic working from the VM to physical network (South-North routing) but Ingress traffic from physical towards the VM (North-South routing) fails
- When you do a traceroute from the physical towards the VM, it drops at the Tier-1 Service Router where the NAT is being handled
- Performing a traceflow in the NSX UI shows packet is dropped at the Tier-1 SR Edge: "Dropper by IP"
Environment
VMware NSX
Cause
Under the Security --> Gateway Firewall, for this specific Tier-1 there is a Egress traffic rule with Action as allow so Egress traffic is correctly matched and working fine but there is a default rule that is configured to Drop all traffic coming from any other source to any destination, due to this the traffic coming inbound was getting matched to this rule and was getting dropped
Resolution
To resolve this issue:
Configure a new policy with a rule to match the interesting traffic for the Ingress from physical to the VM and set the Action to Allow
Example:
Reference documentation: Add a Gateway Firewall Policy and Rule
Feedback
