You may experience a loss of incoming network traffic on a specific NSX-T overlay segment when using a FortiGate VM as a gateway. In this configuration, while outgoing traffic from a Test VM is visible, incoming traffic is lost.

• Test VMs on the same segment show only outgoing traffic; incoming packets do not reach the VM.

• No ARP entries are learned on the ESXi host for the affected segment.

• The issue persists even after migrating VMs to different hosts within the same cluster.

VMware NSX

The segment is using the Default MAC Discovery Profile, which has MAC Learning disabled by default. When a virtual appliance (like a FortiGate) acts as a bridge or gateway and uses multiple MAC addresses behind a single vNIC, the NSX-T host will not learn or forward traffic to these additional MAC addresses unless MAC Learning is explicitly enabled.

To resolve this, you must ensure the segment is using a MAC Discovery Profile with MAC Learning and MAC Change enabled. You can either modify an existing custom profile or create a new one.

1. Log in to the NSX Manager UI.

2. Navigate to Networking > Segments > Segment Profiles.

3. Option A: Create a New Profile

   • Click Add Segment Profile and select MAC Discovery Profile.

   • Name the profile (e.g., Custom-MAC-Learning-Profile).

   • Set MAC Learning to Enabled.

   • Set MAC Change to Enabled.

   • Click Save.

4. Option B: Edit an Existing Profile

   • Locate the custom MAC Discovery Profile currently in use.

   • Click Edit and ensure both MAC Learning and MAC Change are toggled to Enabled.

   • Click Save.

5. Apply the Profile to the Segment:

   • Navigate to Networking > Segments.

   • Locate the affected segment, click the vertical ellipsis (three dots), and select Edit.

   • Under Segment Profiles, locate the MAC Discovery dropdown and select the profile configured in the previous steps.

   • Click Save.

Once the profile is applied, the ESXi hosts will begin discovering MAC addresses correctly, restoring incoming traffic to the Test VM and the FortiGate Layer 2 gateway.

Zscaler Branch Connector VIP Fails to Respond When Hosted on ESXi Due to Virtual MAC Handling