DHCP IP lease renewal requests are dropped for client VMs that are external to NSX when utilizing a DHCP Server VM that is connected to an NSX segment.
search cancel

DHCP IP lease renewal requests are dropped for client VMs that are external to NSX when utilizing a DHCP Server VM that is connected to an NSX segment.

book

Article ID: 430068

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Client DHCP IP lease renewal requests are dropped.
  • Clients are connected to a network outside NSX and are configured to obtain DHCP IPs from a DHCP Server VM connected to an NSX segment.
  • Clients utilize a DHCP Relay Server connected to the same external network as the Client VM to access the DHCP Server VM.
  • Client broadcasts for a DHCP IP to the DHCP Server VM via the DHCP relay work as expected.
  • Client unicasts for a DHCP IP lease renewal are dropped.
  • 'DHCP Server Block Drop Count' logical switch port statistics are incrementing for the DHCP Server VM and / or Edge VM:

    To confirm if the 'DHCP Server Block Drop Count' is incrementing, run the below ESXi command form the DHCP Server VM and / or Edge VM hosts:
    1.  SSH to the ESXi host of the DHCP Server VM and Edge VM(s):

2. Confirm the DVS Name and dvPort ID:
esxcfg-vswitch -l | grep <vm-name>

3. Read the security statistics on this port, noting the "DHCP Block Drop Count":
nsxdp-cli swsec get stats --dvport <DVPort ID> --dvs-alias <dvs_name>

Spoof Guard Ipv4 Drop Count        : 0
Spoof Guard Ipv6 Drop Count        : 0
--
Rate Limit Mcast Rx Drop Count     : 0
DHCPv4 Server Block Drop Count     : 56       <------- Confirm that drop count is incrementing.

Environment

VMware NSX

Cause

The NSX Segment Security Profiles applied to the segments where the DHCP Server and / or Edge VMs reside have 'DHCP Server Block' enabled.  This security feature is designed to prevent unauthorized VMs from acting as DHCP servers by blocking traffic from a DHCP server to a DHCP client. However, it does not block traffic from a DHCP server to a DHCP relay agent. As a result, unicast IP lease renewal requests sent from the client are dropped.

NB:  The default NSX Segment Security Profile has 'DHCP Server Block' enabled by default.

Resolution

This is a condition that may occur in a VMware NSX environment.

Workaround
Disable the 'DHCP Server Block' feature on the NSX Segment Security Profiles applied to the segments where the DHCP Server and / or Edge VMs reside.

NB:  If the segments are currently using the default NSX Segment Security Profile, create a new Segment Security Profile with 'DHCP Server Block' disabled.  Then replace the default NSX Segment Security Profile with this new Segment Security Profile on the segments where the DHCP Server and / or Edge VMs reside.

 

Additional Information

Create a Segment Security Segment Profile

Powered by Wolken Software