SCTP INIT and INIT ACK messages between VNF VMs were not exchanged between VMs deployed on same ESXi host but the traffic is routed via external checkpoint firewall in between them.
search cancel

SCTP INIT and INIT ACK messages between VNF VMs were not exchanged between VMs deployed on same ESXi host but the traffic is routed via external checkpoint firewall in between them.

book

Article ID: 420925

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Packet captures taken on Source and Destination VMs on the switchport and on the uplinks shows that SCTP INIT messages were egressing out of switchport and uplinks of Source ESXi host and only few INIT messages were reaching destination VMs

INIT_ACK from destination VMs were seen on switchport and uplink of destination ESXi host but they were not seen on uplinks of source ESXi host. 

These SCTP traffic between VMs were routed via external checkpoint firewall between them.

Environment

4.2.1.3 

Cause

The cause of the issue is found to be with External checkpoint firewall .

The Check Point protocol handler in the "SCTP" service object does not handle the SCTP traffic that uses a custom port.

 

Resolution

The firewall policy on the external firewall (checkpoint) was changed due to a known issue with checkpoint software versionR80.40 (EOS), R81 (EOS), R81.10, R81.20

The firewall policy was changed to allow complete SCTP protocol suite instead of having policy to allow custom ports.

If such issue occurs with firewall, check with the external firewall vendor for probable resolution.

 

Additional Information

Refer sk180788

Powered by Wolken Software