• VMware NSX and vDefend Distributed Firewall is in use.
• 'DFW vMotion Failure' NSX alarms are observed as per the below example:

The DFW vMotion for DFW filter nic-######-eth####-vmware-sfw.2 on destination host <hostname> has failed and the port for the entity has been disconnected.

• Checking  var/log/vmkernel.log on the ESXi reporting the issue we can see the following:
  • A filter create for the VM reporting the issue:

2026-03-17T09:35:19.553Z In(182) vmkernel: cpu97:2098640)Filter creation report: filter = nic-########-eth####-vmware-sfw.1, source = Create

• • An ERROR for the import of a local root table.

2026-03-17T09:35:19.567Z In(182) vmkernel: cpu97:2098640)pfr_attach_table: nic-########-eth####-vmware-sfw.1: ERROR ***************** local root table <address set> not found
2026-03-17T09:35:19.567Z In(182) vmkernel: cpu97:2098640)pfioctl: DIOCADDRULE failed with error 22

• • This results in an import failure and an import alarm to be thrown:

2026-03-17T09:35:19.567Z In(182) vmkernel: cpu97:2098640)failed to import single ruleset: Failure
2026-03-17T09:35:19.567Z In(182) vmkernel: cpu97:2098640)IMPORTTLVRULES failed: 195887105
2026-03-17T09:35:19.567Z In(182) vmkernel: cpu97:2098640)Sending message to cfgAgent to raising alarm for filter import failure
2026-03-17T09:35:19.567Z In(182) vmkernel: cpu97:2098640)Failed to restore datapath state : Failure

NOTE: The preceding log excerpts are only examples. Date, time and environmental variables may vary depending on your environment.

VMware NSX

vDefend Firewall

This is a known issue where the ESXi attempts an import and create event are triggered. As newly created filters do not have local tables, the import event fails to find these tables.

NSX raises a DFW vMotion failure alarm as the ESXi has reported an import failure which is related to a vMotion.

This issue is resolved in ESXi 9.0 and future ESXi 8.0 releases.

There is no workaround to this issue.