In a VMware Horizon or VDI environment, you may observe that one or more virtual machine ports on a Distributed Virtual Switch (VDS) intermittently show a status of Blocked within the vSphere Client UI.

• Network traffic continues to flow normally for the affected VM.

• The issue often occurs during power-on or following a vMotion.

• VMkernel logs show L2Sec_EnforcePortCompliance violations.

• The following errors are visible in the logs:

  client <vm-name>.eth0 requested mac address change to 00:00:00:00:00:00 on port 0x######, disallowed by vswitch policy
  vmkernel: ##:##:##:##.### cpu33:#### etherswitch: L2Sec_EnforcePortCompliance: client <vm-name>.eth0 has policy violations on port #x#######. Port is blocked

• Immediately following these messages, the port is unblocked per the vmkernel or messages log:
  

  host1 vmkernel: ##:##:##:##.### cpu33:#### NetPort: ###: enabled port #x####### with mac ##:##:##:##:##:##

VMware vSphere ESXi

These messages are received because the vSwitch or port group security policy "MAC Address Changes" is set to Reject. During virtual machine power-up and vMotion migration, the host may momentarily list the virtual machine's MAC address as 00:00:00:00:00:00 while it is initializing. Immediately, the virtual machine's correct MAC address is displayed and the port is unblocked.

These messages can be safely ignored if there are no data path impacts to the VM's.

If you need further assistance or if you are facing any data path impacts on the VM's, please open a case with Broadcom Support Team for further investigation.

Similar issue: vCenter Server events display the message: Lost network connectivity on DVPort