Flows from external IPs to AVI VIP are not visible in VCF Operations for Networks
search cancel

Flows from external IPs to AVI VIP are not visible in VCF Operations for Networks

book

Article ID: 432381

calendar_today

Updated On:

Products

VCF Operations for Networks

Issue/Introduction

In VCF Operations for Networks, flows originating from external IP addresses connecting to an AVI Load Balancer Virtual IP (VIP) hosted inside NSX may not be visible in the UI.

Administrators may observe that:

  • Flows are not visible in the UI for Interface IP not known to VCF Operations for Networks → AVI VIP traffic.

    • Where the Query is:
      • flows where Source IP Address = <source-ip address> and Destination IP Address = <destination-ip address>

  • Flow records exist in the collector logs (nfcapd).

  • We can see Wrong reporting point rejection statistics:
      • Raw Ipfix Record Rejection Stats [file=/var/flows/vds/nfcapd/nfcapd.<ts>]: WRONG_REPORTING_POINT: <number of rejections>

NOTE:

  • VCF Operations for Networks was formerly named Aria Operations for Networks (AON), and prior to that was named vRealize Network Insight (vRNI).
  • VCF Operations for Logs was formerly named Aria Operations for Logs and prior to that was named vRealize Operations for Logs (vRLI).

Environment

This issue may occur in environments using:

  • VMware Cloud Foundation 9.X
  • VCF Operations for Networks 6.14.X
  • VCF Operations for Networks 6.13
  • VMware NSX
  • VMware NSX Advanced Load Balancer (AVI)
  • Environments where external clients connect to an AVI VIP

Cause

This behavior occurs because flows from unknown interface IP/Internet IP → Load Balancer VIP are not currently supported by the flow processing logic.

In this scenario:

  • The AVI VIP is hosted by a Service Engine (SE).
  • Interface identification (ID) of the Service Engine
  • Destination IP as the AVI VIP

Since the interface ID corresponds to the Service Engine while the destination IP remains the VIP, the collector is unable to correctly map the flow to a known interface.

Due to this mismatch, the flow fails interface validation and is rejected during processing, which prevents it from appearing in the vRNI UI.

The rejection can be observed in the flow processor logs with messages similar to:

WRONG_REPORTING_POINT: <number of rejections>

Resolution

Engineering has identified this limitation and is working on an enhancement to support these flows.

This is a known issue impacting VCF Operations for Networks

If you believe you have encountered this issue, please open a support case with Broadcom Support and refer to this KB article. For more information, see Creating and managing Broadcom support cases.

Powered by Wolken Software