In VCF 9.0.1, connectivity to the Supervisor Control Plane Virtual IP may fail when traffic originates from a VM connected to a Tier-1/Tier-0 Gateway created by the NSX Container Plugin when a broad SNAT rule (ANY → ANY) is configured on the Gateway

Traffic works as expected when the source VM is connected to non NCP created Tier-1/Tier-0 Gateway

VCF VMware NSX 9.x

The failure is caused by a packet flow mismatch resulting from the Gateway Firewall being disabled by default in VCF 9.0.1 (Greenfield deployments), combined with a broad SNAT configuration.

• An external client (Outside NSX) initiates a connection by sending a SYN packet to the Supervisor VIP or workload.

• The incoming SYN packet does not match the SNAT rule.

• Because the Gateway Firewall is disabled, no stateful session is created for this inbound traffic.

• The packet is forwarded to the workload, which responds with a SYN-ACK.

• The outbound SYN-ACK matches the ANY-ANY SNAT rule, causing source IP translation.

• The external client receives a response from an unexpected source IP, resulting in the connection being reset or dropped.

Workaround: 

Option 1) Enable the Edge Gateway Firewall to restore default stateful inspection. This allows the system to create a state table entry upon the arrival of the initial SYN packet, ensuring the return traffic is not incorrectly translated by the SNAT rule.

Option 2) Configure a No-DNAT rule specifically for the destination IP of the workload/VIP. This forces the creation of a state entry for both SYN and SYN-ACK packets, preventing them from falling through to the broad SNAT translation

Option 3) Replace the ANY → ANY SNAT rule with a more specific SNAT rule that applies only to the required source and destination criteria. This ensures the SYN-ACK traffic does not incorrectly match the SNAT rule, preventing unintended source IP translation.