NSX-T DFW Traffic Briefly Hits a Different Rule from Normal After VM Reboot
search cancel

NSX-T DFW Traffic Briefly Hits a Different Rule from Normal After VM Reboot

book

Article ID: 435851

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

  • A particular network flow normally hits one DFW rule but, while a VM is being rebooted, a different rule is hit.
  • Traffic stabilizes and correctly matches the normal rule once the VM is booted and the vNic is connected.

Environment

vDefend Firewall 

Cause

  • NSX Groups are defined with dynamic criteria. 
  • When the VM is rebooted the VM's IP is removed from all dynamic NSX Groups of which it is a member.   At that time, the original rule cannot be matched as the IP is no longer a member of the NSX Group.
  • Once the VM reboots and the vNic is connected, the VM's IP is re-added to the dynamic group and the original rule is hit again.

 

Resolution

This is normal behavior during a vm reboot.

Powered by Wolken Software