Several Virtual Machines in a cluster may experience a total loss of network connectivity due to their associated ports entering a "Blocked" state. In the affected environment, ports were observed toggling between "cleared" and "blocked" in the VMkernel logs. Manual attempts to unblock these ports using net-dvs are typically unsuccessful when this issue occurs.

VMware NSX

This behavior is triggered by a known JDK synchronization bug within the NSX software. This bug causes a hang in the management services, leading to a disconnect between the logical state (Management Plane) and the physical state (Data Plane/ESXi). Even after the Management Plane is recovered, specific services on the ESXi host, such as nestdb and the proxy services can remain in an inconsistent state, causing the "Blocked" port status to reoccur.

Tiered Recovery Approach for NSX Port Connectivity

To fully resolve the blocked port state and restore network connectivity, please follow this tiered remediation strategy:

1. Management Plane Recovery

• Perform a rolling reboot of the NSX Manager cluster to clear the JDK-related synchronization hang.

• Follow the procedures in Broadcom KB 405110 to force a logical unblock of the affected ports at the ESXi level.

2. If the port remains blocked or the issue persists on specific ESXi hosts, proceed with the following:

• On the affected host, attempt to restart the local nestdb and nsx-proxy services to re-establish the control plane agent state.

• If services do not recover or the state remains inconsistent, perform a full reboot of the ESXi host. This ensures a complete flush of the management agents and a clean state synchronization with the recovered NSX Managers.

For further details on the underlying JDK bug signatures, see:

• Broadcom KB 396719

• Broadcom KB 391622