When Using Turbo Mode (IDPS or Layer 7 DFW), packets sent to SCRX are dropped
search cancel

When Using Turbo Mode (IDPS or Layer 7 DFW), packets sent to SCRX are dropped

book

Article ID: 428291

calendar_today

Updated On:

Products

VMware vDefend Firewall with Advanced Threat Prevention VMware vDefend Firewall

Issue/Introduction

  • When Using Turbo Mode (IDPS or Layer 7 DFW), packets sent to SCRX are dropped 
  • Packet counters will display a non-zero value for "drop_invalid", which is the sum of all drop counters; all other drop counters will be zero.


The behavior can be displayed by running the following python script on the host:  

/opt/vmware/nsx-cli/bin/nsx-appctl -t /var/run/vmware/scx/sdp.ctl sdp/get/stats|python -m json.tool

 

Example: (only relevant output shown)

[root@ESXi:]/opt/vmware/nsx-cli/bin/nsx-appctl -t /var/run/vmware/scx/sdp.ctl sdp/get/stats|python -m json.tool
{
        },
        "drop_copy": 0,
        "drop_fragments": 0,
        "drop_invalid": 848543245,
        "drop_invalid_dst_ip": 0,
        "drop_invalid_ip_proto": 0,
        "drop_invalid_runt": 0,
        "drop_invalid_src_ip": 0,
        "drop_invalid_udp_port": 0,
        "drop_ipv4_recovery_failed": 0,
        "drop_ipv6_recovery_failed": 0,
        "drop_noflow": 0,
        "drop_partition_failed": 0,
        "drop_service": 0,
        "drop_service_ring_error": 0,
        "drop_software_ring_full": 0,
        "drop_txerror": 0,

Environment

NSX 4.2.2 or above
Turbo Mode enabled

Cause

  • The physical NIC (pNIC) on the ESXi host is intermittently removing Ethernet padding on ingress frames.
  • For frames of exactly 64B in length, this behavior creates runt (<64B) frames.
  • When these runt frames are then forwarded to the IDPS engine, they are incorrectly dropped.  

Resolution

To be fixed in a future NSX release.

Powered by Wolken Software