• VMware ESXi hosts experience a Purple Diagnostic Screen (PSOD).
• The host is configured as an NSX Transport Node with the Enhanced Network Stack (ENS) enabled.
• The crash occurs within the nsxt-vsip (Distributed Firewall) module.
• The PSOD backtrace points to the Ens-Lcore (ENS Logical Core) process.
• The PSOD screen or extracted vmkernel-zdump displays an assertion failure similar to the following:
  
  Panic Details: Crash at 2026-03-04T03:11:02.433Z on CPU 61 running world 2108172 - Ens-Lcore-12. VMK Uptime:323:23:23:41.376
Panic Message: @BlueScreen: line 12464 assert "(s->state_flags & PFSTATE_TCP_HALF_OPEN) == 0" failed
Backtrace:
  0x45395879b590:[0x420039b19bda]PanicvPanicInt@vmkernel#nover+0x202 stack: 0x4a00000000, 0x420039b19bda, 0x0, 0x420000000001, 0x420039b19bda
  0x45395879b640:[0x420039b1a4fc]Panic_vPanic@vmkernel#nover+0x25 stack: 0x45dac850f2a2, 0x420039b3259f, 0x1, 0x42003c703350, 0x0
  0x45395879b660:[0x420039b3259e]vmk_vPanic@vmkernel#nover+0xf stack: 0x0, 0x453900000008, 0x45395879b6d0, 0x45395879b690, 0x1
  0x45395879b670:[0x42003c70334f][email protected]#1.0.8.0.22667792+0x4c stack: 0x45395879b6d0, 0x45395879b690, 0x1, 0x30b0, 0x0

(gdb) bt
#0 0x0000420039b1a4e6 in Panic_vPanic (fmt=0x42003c75cc90 "line %d\tassert \"(s->state_flags & PFSTATE_TCP_HALF_OPEN) == 0\" failed\n", args=0x45395879b678) at bora/vmkernel/main/panic.c:229
#1 0x0000420039b3259f in vmk_vPanic (moduleID=<optimized out>, fmt=<optimized out>, ap=<optimized out>) at bora/vmkernel/main/vmkapi_assert.c:44
#2 0x000042003c703350 in ?? ()
#3 0x0000000000000000 in ?? ()
  
  

ESXi 7.0U3
NSX 4.1.2.1
TCP 4.0.1

• This is a known issue caused by a strict assertion within the NSX-T Enhanced Network Stack (ENS) fastpath packet processing cycle (VSIPDVFFCFastpathActionCb).
• When the ENS fastpath encounters a TCP connection flow where the TCP_HALF_OPEN flag is set (indicating the TCP 3-way handshake is incomplete), an internal safety check (PF_VERIFY) fails.
• Because the fastpath code does not expect a half-open state at this specific stage of processing, it triggers a kernel panic to prevent potential state table corruption.

This issue is resolved in the following releases:

VMware NSX 4.1.2.3, VMware NSX 4.2.0 and later.

Workaround

If upgrading to a resolved version is not immediately possible, you can prevent the PSOD by disabling the Enhanced Network Stack (ENS) and reverting to the Standard Data Path.

1. Place the affected ESXi host(s) into Maintenance Mode.
2. In the NSX Manager UI, navigate to System > Fabric > Hosts.
3. Edit the Transport Node Profile (TNP) or the individual Host Transport Node configuration.
4. Change the Mode from Enhanced Datapath to Standard.
5. Save the configuration to allow the NSX kernel modules to reconfigure.

Important Note for Telco/NFV Environments: Disabling ENS removes DPDK-like hardware acceleration polling. While this workaround stabilizes the host, it will significantly reduce maximum packet throughput (PPS) and may introduce latency/jitter. For Cloud Native Network Functions (CNFs) with strict performance SLAs, applying the resolution (upgrading to 4.1.2.3) is strongly recommended over applying this workaround.

• In the resolved versions, if the ENS fastpath detects the TCP_HALF_OPEN flag, it no longer triggers an assertion failure.
• Instead, ENS gracefully punts the packet to the standard datapath (slowpath) so the flow can be safely revalidated and recreated without causing a host crash.