Virtual Machines (VMs) located on the same NSX segment as a Palo Alto Gateway VM are experiencing a loss of connectivity to the gateway. This interruption occurs when the Palo Alto gateway is connected to the NSX segment without MAC Learning configuration enabled.

VMware NSX

The issue is caused by the configuration of the MAC Discovery Profile associated with the Palo Alto Gateway VM. Specifically:

• Promiscuous Mode and Forged Transmits are not enabled. (Not available on NSX-T Segment)

• MAC Learning, which serves as an alternative to Promiscuous mode in NSX-T environments, was not enabled on the MAC discovery profile.

Without these settings, the necessary traffic flow for the gateway to function correctly as a router for other VMs on the segment is blocked.

To resolve this issue, you must enable MAC Learning on the segment connecting the Palo Alto VM. Follow the steps below:

1. Create a new MAC Discovery Profile within your NSX manager.

2. In the profile settings, enable MAC Change and MAC Learning.

3. Attach the newly created MAC discovery segment profile to the specific segment currently used by the Palo Alto VM.

https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-2/administration-guide/segments/segment-profiles/understanding-mac-discovery-segment-profile/create-an-nsx-mac-discovery-segment-profile.html

https://knowledge.broadcom.com/external/article/394260/configuring-l2-port-security-settings-on.html