This article discusses the VMware NSX login mechanism, specifically focusing on how account lockouts are based on the specific combination of a username and their IP address.

VMware NSX

The authentication framework in VMware NSX utilizes a granular lockout mechanism that functions on a per-account, per-source IP basis.

Technical Behavior and Scenarios:

• Targeted Source Lockout: If an admin account exceeds the failed login threshold from IP 10.x.x.x, the system caches a lockout state specifically for that [Account: admin |IP: 10.x.x.x] pairing. Any subsequent attempts from that specific IP using the admin username will be rejected until the lockout period expires.
• Account Independence: Despite the lockout of the admin user, the same source IP (10.x.x.x) remains capable of authenticating with different credentials, such as the audit account. This confirms that the restriction is not a based IP-based block, but is scoped to the specific credential-source pair.
• Administrative Continuity: Crucially, this mechanism ensures that a lockout triggered at one location does not result in a total denial of service. The admin account remains fully accessible from an alternative source IP (e.g., 20.x.x.x), allowing users to access the NSX environment.

To understand login attempts to the NSX Manager or Edge node kindly refer the following kb article: Admin account lockout policy for the NSX Edge and Manager nodes