• In a VMware NSX environment operating a single-node manager cluster, ESXi hosts lose communication with the NSX Manager following a direct vCenter hardware modification (e.g., adjusting CPU count) and subsequent reboot.
• Packet captures demonstrate that management traffic destined for the NSX Manager is dropped by the Distributed Firewall (DFW) at the local ESXi host.
• Dataplane inspection reveals a slot 2 (vmware-sfw.2) dvFilter is attached to the NSX Manager vNIC, overriding manual placement in the User Exclusion List.

VMware NSX

During the reboot, the NSX VM is disconnected from the NSX port. Because the environment relies on a single-node cluster, the Central Control Plane (CCP) is entirely offline during the appliance boot sequence. The ESXi host's local control plane (vsfwd) detects the power-on event but cannot validate the UUID against the offline CCP to associate it with the User Exclusion List, resulting in the application of the default slot 2 filter and a self-imposed lockout.

• Access the ESXi shell on the host where the isolated NSX Manager virtual machine currently resides.

• Execute the following dataplane override command to forcefully clear the active filters from the host: vsipioctl clearallfilters -Override -a vmware-sfw

• Verify that the NSX Manager regains network connectivity and the Management Plane fully initializes.

• Place the ESXi host into Maintenance Mode and reboot it to re-establish standard NSX Control Plane synchronization and recover the native dvFilter states.

• To permanently prevent lockouts and utilize the native System Excluded VMs group rather than the manual User Exclusion List, update the advanced VMX parameters of the NSX Manager appliance to reflect its Management Plane identity.

Updating VMware NSX Manager from Regular VM to System/MP VM

Virtual machines and Edge Nodes deployed in VMware NSX environment and added to the DFW exclusion list have firewall rules attached