Traffic hitting an incorrect DFW rule due to IP(s) missing from addrsets on ESXi hosts
search cancel

Traffic hitting an incorrect DFW rule due to IP(s) missing from addrsets on ESXi hosts

book

Article ID: 427320

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

VMs are a part of a dynamic group created on the NSX Manager. The IP address of a VM (or VMs) is missing in the NSGroup (addrset) of a DFW rule on the ESXi host. This results in traffic hitting a different or the default rule. This behavior is observed intermittently. 

Environment

VMware NSX - All versions

Cause

1. The VM in question was powered off or reset just before the issue:

2026-01-28T07:17:04.331Z In(05) vcpu-0 - Checkpoint_Unstun: vm stopped for 14768 us

2026-01-28T07:17:04.331Z In(05) vcpu-0 - CPU reset: hard (mode Emulation)

2026-01-28T07:17:04.331Z In(05) vcpu-2 - CPU reset: hard (mode Emulation)

2026-01-28T07:17:04.331Z In(05) vcpu-5 - CPU reset: hard (mode Emulation)

2026-01-28T07:17:04.331Z In(05) vcpu-4 - CPU reset: hard (mode Emulation)

2026-01-28T07:17:04.331Z In(05) vcpu-6 - CPU reset: hard (mode Emulation)

2026-01-28T07:17:04.331Z In(05) vcpu-3 - CPU reset: hard (mode Emulation)

2026-01-28T07:17:04.331Z In(05) vcpu-7 - CPU reset: hard (mode Emulation)

2026-01-28T07:17:04.331Z In(05) vcpu-1 - CPU reset: hard (mode Emulation)

.

.

2026-01-28T07:17:04.382Z In(05) vcpu-0 - VM reset: virtual hardware upgrade requested. Power off for client power on.

2026-01-28T07:17:04.382Z In(05) vmx - Stopping VCPU threads...

.

.

2026-01-28T07:17:04.629Z In(05) vmx - Transitioned vmx/execState/val to poweredOff           <<<< The VM was powered off

<New log>

2026-01-28T07:17:11.423Z In(05) vmx - TOOLS INSTALL initializing state to IDLE on power on.          <<< Tools got initialized here

.

2026-01-28T07:17:11.455Z In(05) vcpu-0 - Transitioned vmx/execState/val to poweredOn         <<< The VM was powered on

2. This causes the IP address to be removed from the NSGroup

3. Once the VM is back online, the IP address of the VM is learned (either by VMware tools or ARP snooping or both) and the IP address is added back to the NSGroup

Resolution

The NSX behavior is by design. Investigate why the VM was reset. Below are a couple of KBs that can be helpful:

1. Determining why a VM was Powered off / Restarted / Rebooted

2. The virtual machines are observed to undergo a reboot sequence at specific intervals.

Powered by Wolken Software