During NSX platform upgrade an edge node has stopped handling traffic
search cancel

During NSX platform upgrade an edge node has stopped handling traffic

book

Article ID: 422566

calendar_today

Updated On:

Products

VMware NSX VMware vSphere ESX 8.x

Issue/Introduction

  • An edge in bridge mode has stopped forwarding traffic.
  • The portgroup is configured as trunk port with allow forged transmits, promiscuous mode and mac address changes along with mac learning enabled
  • The port security for the port seen via "net-dvs -l" displays: com.vmware.vswitch.port.security = 0x 5. 0
  • The "pktsDropped" counter on switchport unnder "inputStats" is seen incrementing for the filter l2sec (vswitch-l2sec) using command:

     vsish -e get /net/portsets/<dvs_portset>/ports/<port_id>/inputStats

    example output (snip):

            FILTER <vswitch-l2sec:0x0>
                    pktsStarted:16407
                    pktsPassed:16407
                    pktsDropped:432





Environment

VMware vSphere ESX 8.0

Cause

The allow forged transmits setting is not propagated properly to the host itself so the setting is effectively set to "Deny". Therefore when a guest OS or application in a VM acts in a way related to the policy, such as forging a MAC address it is detected as a violation and packet is dropped or port blocked.

Resolution

  1. Create a new trunk portgroup with allow forged trasmits and mac learning enabled
  2. Move the edge VM data interface from previous portgroup to new trunk portgroup.

Additional Information

vDS ports go into blocked state for security violations even when the security policy is enabled

Powered by Wolken Software