• An alarm for Edge Datapath Mempool High is seen in the NSX UI relating to mempools pfa_ctx_pl3, pfa_key_ace_pl3, and pfa_attrconn_pl3.
• These specific mempools are related to Layer 7 Gateway Firewall rules.
• If the mempool usages approach 100% usage, the Layer 7 GFW rules stop being processed until the datapath is restarted.
• Additionally, DNS requests, which hit a L7 DNS rule, can be dropped when there was no free entry in either mempool.
• An Example of the alarm in the NSX UI (there are similar alarms for mempools pfa_key_ace_pl3 and pfa_ctx_pl3):

Edge Datapath Mempool High
nsx-edge-103
Transport Node
Medium
Dec 17, 2025, 12:17:51 PM
Open
Beginning of Expandable row content Screen reader table commands may not work for viewing expanded content, please use your screen reader's browse mode to read the content exposed by this button
Description:
The datapath mempool usage for pfa_attrconn_pl3 on Edge node <UUID> has reached 85% which is at or above the high threshold value of 85%.

Recommended Action:
Get the mempool usage using `get dataplane memory stats` CLI. 1. In case of high usage in malloc heap mempool, grep `malloc_heap` in the syslog file to get the pattern for increase in usage. If the free space is fairly consistent across all the logs, it just means high usage of malloc_heap and there wont be any functional or traffic disruption. 2. Firewall related mempool usage high means capacity is low. Move the Edge to a larger form factor or increase the number of Edge nodes in the Edge cluster. 3. Increase Edge form factor if alarm is raised after upgrading to a new configuration. View Knowledge Base  

• The mem_usage.json log contained in the /var/run/vmware/edge/ directory of the NSX edge node support bundle shows percent usage over 85%:

/var/run/vmware/edge/mem_usage.json
{"name": "pfa_attrconn_pl3", "description": "Stateful Service Attribute Connection Pool", "total": 442368, "used": 389690, "percent": 88.09},
{"name": "pfa_ctx_pl3", "description": "Stateful Service Context Pool", "total": 24576, "used": 21649, "percent": 88.09},
{"name": "pfa_key_ace_pl3", "description": "Stateful Service Integer Attribute Key Pool", "total": 65536, "used": 57731, "percent": 88.09}

VMware NSX

• This issue is found in NSX 4.2.x where L7 rules are configured on Edge nodes and FQDN Analysis is enabled
• Mempools pfa_ctx_pl3, pfa_key_ace_pl3, and pfa_attrconn_pl3 are not purged even after they are no longer needed (e.g. timestamp of mempool expired)

The issue is addressed in vDefend Firewall / NSX 4.2.4 and all subsequent versions released after 4.2.4.

If the memory pool usage continues to increase on the Active edge, follow the steps below :-

• During a maintenance window, fail over the Active edge
• Once that edge becomes the Standby edge, put it into NSX maintenance mode
• Reboot the Standby edge to clear the mempools
• Take the Standby edge back out of NSX maintenance mode.