VMware NSX 

In NSX, if a packet does not match any user-defined rule, it is handled by the Default Allow Rule (Rule 1002) unless settings were changed in your environment. If this default rule is modified to Drop, to restore connectivity, an explicit permit rule must be created, in this case allowing DNS and ICMP traffic.

Verification via NSX Traceflow shows: Packet dropped by Rule 1002. 

The specific services (UDP 53 and ICMP) must be explicitly permitted in the Gateway Firewall policy for the traffic to pass between the T1 and T0 gateways.

To resolve this issue, you must update the Gateway Firewall policies to explicitly permit DNS and ICMP traffic between the relevant security groups.

1. Log in to the NSX Manager UI.

2. Navigate to Security > Gateway Firewall.

3. Select the Gateway Specific tab and choose the affected gateway.

4. Update the existing rule or create a new entry with the following configuration:

   • Source: The Security Group containing the source VMs.

   • Destination: The Security Group containing the DNS servers.

   • Services: Select DNS (UDP 53) and ICMP V4.

   • Action: Set to Allow.

5. Repeat these steps for the Tier-1 Gateway if the traffic is being dropped at that level.

6. Click Publish to apply the changes.

• Traceflow Validation: Before and after making changes, use the NSX Traceflow tool to confirm the packet path. A successful result will show the packet reaching the destination. 

• Workaround: If immediate resolution is required for testing, try placing VMs in exclusion list.