NSX VMs connected to VLAN-backed segments fail to display IP addresses in vCenter Virtual Machine Summary page, and also in the NSX Security Group Members Effective members Virtual InterFace (VIFs)
search cancel

NSX VMs connected to VLAN-backed segments fail to display IP addresses in vCenter Virtual Machine Summary page, and also in the NSX Security Group Members Effective members Virtual InterFace (VIFs)

book

Article ID: 428694

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Virtual machines (VMs) connected to VMware NSX 4.2.3 VLAN-backed segments do not display IP address telemetry in management interfaces, even though they remain fully accessible and operational. The IP is also expected to be displayed in the securities groups effective members VIFs.

 

  • The vCenter VM Summary page shows "IP Address: N/A" or is entirely blank.


  • In the NSX Manager UI, the Inventory > Groups > [Security Group] > IP Addresses/VIFs section shows no populated IP for affected VMs.

  • VMs are confirmed online and can successfully ping their default gateway.

  • Backend CLI tools (nsxdp-cli, nxcli) confirm the port is realized on the host and the segment is active.

    The VM interface will be displayed here with vDS switchport number,  UUID, MAC address, vmnic, and vLAN tag. Prove the interface is realized on the host.

  • The port information found in the network tab of vCenter will have the Virtual Machine’s port information with a state of link up.

Environment

  • Product: VMware NSX
  • Version: 4.2.3
  • Network Configuration: VLAN-backed segments

Cause

The issue is typically caused by a failure in the IP Discovery mechanism or a synchronization lag between the NSX Management Plane, the Transport Node, and vCenter.

  • VLAN-Backed Transparency: Unlike Overlay segments, NSX does not participate in DHCP or Routing for VLAN segments. It must "learn" IPs through ARP/DHCP snooping or VMware Tools.
  • Discovery Failure: If the IP Discovery Profile is not configured to snoop traffic on the specific VLAN segment, the bindings are never created.
  • Sync Lag: A realization failure can occur between the Host Transport Node and the Manager, or between the Manager and vCenter, preventing learned IPs from populating the UI.

Resolution

  1. Verify and Configure IP Discovery Profile:
    • Navigate to Networking > Segments > Segment Profiles.
    • Check the IP Discovery profile assigned to the affected VLAN segment.
    • Ensure ARP Snooping and DHCP Snooping are both enabled.
    • Note: For VMs using static IPs, ARP Snooping must be active for NSX to learn the IP from outgoing traffic.
  2. Validate VMware Tools:
    • Ensure VMware Tools is installed and running on the guest VM, as it serves as a primary source for the vCenter IP summary.
  3. Force a Host Resync:
    • Use the following Policy API to force a re-realization of the Host Transport Node where the VM resides:
      POST /policy/api/v1/infra/sites/default/enforcement-points/default/host-transport-nodes/<node-uuid>?action=resync_host_config
  4. Restart Management Services:
    • If a UI glitch is suspected, restart the proton service on NSX Managers or the vpxd service on vCenter.

Additional Information

Enabling snooping allows the NSX Distributed Firewall (DFW) and Management Plane to correctly identify the IP-to-MAC-to-Port mapping required for security group membership.

Powered by Wolken Software