After IP Discovery Profile Change from TOFU Enabled to Disabled, the traffic can be dropped due to hitting the DFW rule in the customer’s environment like below:

• The affected IP was an In-Guest VIP(used inside Guest OS for 3rd party LB VIP), not mapped to any vNIC.

• Because the In-Guest VIP cannot have a VMTools-based binding, it relied solely on ARP/TOFU for discovery.

• There is an Allow FW Rule for the traffic.

• When the IP Discovery Profile was modified (especially when TOFU was disabled), suchIn-Guest VIPs may be re-evaluated and removed from NSGroups.

• Once removed from the NSGroup, traffic referencing this IP no longer hits the DFW allow rule and is dropped.

VMware NSX 

• Binding Re-evaluation Triggered by Profile Change

  • Disabling TOFU causes previously TOFU-realized bindings to transition to is_realized = false.

  • When unrealized, the IP is automatically removed from NSGroup dynamic membership.

• NSGroup Removal → DFW Drops

  • The IP is no longer included in the NSGroup → Allow rule not matched → Traffic dropped by DFW.

• Floating IP Characteristics

  • No VMTools binding because the IP is not mapped to a vNIC - (LB VIP ex. F5)

  • Discovery depends solely on ARP or TOFU.

  • If TOFU is disabled or ARP entries age out, the IP cannot be re-realized.

• Recommend Adding Critical IPs as Static NSGroup Members

  • Before modifying the IP Discovery Profile, add In-Guest VIPs or other VIPs as static IP entries in the NSGroup.

  • Static members are not affected by profile changes → Prevents DFW drops.

## Operational Considerations

• Avoid disabling TOFU in environments using In-Guest VIPs without VMTools bindings.

• Always verify NSGroup membership after profile changes.

• In ARP-dependent environments, traffic drops may delay ARP refresh and binding re-learning.