Virtual Machine network connectivity loss on NSX VLAN-backed segments
Article ID: 433269
Updated On:
Products
Issue/Introduction
Virtual Machines residing on NSX VLAN-backed segments experience a total loss of network connectivity. While the physical underlay and ESXi networking stack remain functional, traffic is dropped at the NSX logical segment layer. Connectivity is typically restored only when the VM is migrated to a standard vSphere Distributed Switch (VDS) portgroup.
-
VMs on NSX segments cannot reach their default gateway or peer VMs.
-
Pings to the gateway fail despite the physical switch reporting the uplink is up.
-
Moving the VM to a non-NSX portgroup immediately restores network access.
Environment
VMware NSX
Cause
The root cause is the configuration of the NSX Segment Security Policy "default-segment-security-policy," which often has the DHCP Server Block enabled by default.
-
The DHCP Server Block setting blocks traffic traveling from a DHCP server to a DHCP client, but it does not block traffic sent from a DHCP server to a DHCP relay agent.
-
The DHCP Client Block setting prevents a virtual machine (VM) from acquiring or maintaining an IP address by blocking DHCP renewal requests.
-
Even if the DHCP Server Block setting is disabled, Distributed Firewall (DFW) rules must still be configured to explicitly allow DHCP packets to traverse the segment.
Resolution
1. Update Segment Security
-
Go to NSX Manager > Networking > Segments
-
Edit the affected segment and disable DHCP Server Block in the security profile
2. Update DFW Rules
-
Go to Security > Distributed Firewall
-
Add/verify allow rules for DHCP Client & Server
Additional Information
Feedback
