Network Connectivity issues Due to Missing IPFIX Properties on VDS
search cancel

Network Connectivity issues Due to Missing IPFIX Properties on VDS

book

Article ID: 427131

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

  • The environment is using vDefend Security, specifically DVPG-based security.
  • IPFIX (NetFlow) is enabled on the Distributed Virtual Switch (DVS) or Distributed Virtual Port Group (DVPG).
  • When virtual machines are powered on:
    • The vNIC may appear as Connected in vCenter.
    • The guest operating system does not have network connectivity.
  • When a virtual machine vMotions to a host, it loses network connectivity.

  • On the affected host, the following errors can be observed in /var/log/vmkernel.log:

    2026-##-##T##:##:##.###Z Wa(180) vmkwarning: cpuxx:########)WARNING: nsxt-ipfix: IpfixDVPortParamWrite:###: [nsx@6876 comp="nsx-esx" subcomp="ipfix"]Did not find information for 'DvsPortset-#'
    2026-##-##T##:##:##.###Z Wa(180) vmkwarning: cpuxx:########)WARNING: nsxt-ipfix: IpfixDVPortParamWrite:###: [nsx@6876 comp="nsx-esx" subcomp="ipfix"]Is Netflow correctly configured?
    2026-##-##T##:##:##.###Z Wa(180) vmkwarning: cpuxx:########)WARNING: NetDVS: ####: Failed to write critical property com.vmware.etherswitch.port.ipfix on port #####, return :Not found.
    2026-##-##T##:##:##.###Z Wa(180) vmkwarning: cpuxx:########))WARNING: NetPort: ####: failed to enable port, portID: 0x######, status: Not found
    2026-##-##T##:##:##.###Z In(182) vmkernel: cpuxx:########)NetPort: ###: disabled port 0x########
    2026-##-##T##:##:##.###Z In(182) vmkernel: cpuxx:########)Vmxnet3: ###: Port_Enable failed for port 0x########

    These messages indicate that the DVPort is blocked because the IPFIX properties could not be applied.

  • Verification
    These examples illustrate expected versus problematic behavior. Actual output may vary; compare hosts in your environment to identify missing IPFIX properties.

    Good Host (Expected Output)

    root@ESXi-1:# net-dvs -l | grep -E "^switch |common.alias|ipfix" | grep -v "com.vmware.etherswitch.port.ipfix = enabled"
    switch ## ## ## ## ## ## ## ##-## ## ## ## ## ## ## ## (vswitch)
                    com.vmware.common.alias = <DVS-Name> ,       propType = CONFIG
                    com.vmware.etherswitch.ipfix:
                    com.vmware.common.portset.ipfixfirewall = 0x 0. 0


    Bad Host (Problematic Output)

    root@ESXi-1:# net-dvs -l | grep -E "^switch |common.alias|ipfix" | grep -v "com.vmware.etherswitch.port.ipfix = enabled"
    switch ## ## ## ## ## ## ## ##-## ## ## ## ## ## ## ## (vswitch)
                    com.vmware.common.alias = <DVS-Name> ,       propType = CONFIG
                    <IPFIX-related properties are missing>

Environment

Any NSX, vCenter, or ESXi version

Cause

Some required IPFIX-related properties are missing from the vSphere Distributed Switch (VDS) on affected hosts. This typically occurs due to improper cleanup or synchronization issues, such as:

  • The VDS being out of sync
  • Improper NSX removal or uninstall
  • Force removal of NSX components
  • Improperly moving a host between clusters

As a result, the DVS is unable to apply the required IPFIX properties to DVPorts, causing the ports to be blocked and network connectivity to fail.

Resolution

    1. Remove the affected ESXi host from the vSphere Distributed Switch (VDS).
    2. Re-add the host back to the same DVS.
This action restores the missing IPFIX-related properties on the host and resolves the DVPort blocking issue, allowing VM network connectivity to function normally.

Powered by Wolken Software