Network Introspection slot-12 profile found on ESXi host and the SPF port is in a blocking state.
search cancel

Network Introspection slot-12 profile found on ESXi host and the SPF port is in a blocking state.

book

Article ID: 436335

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

When running the command summarize-dvfilter on an ESXi host, service insertion slot-12 filters are found but the SPF port is in a disabled state.   The SPF port is used to forward network packets to the partner service virtual machine (SVM).

Environment

  • NSX 4.2.x and below
  • NOTE: See KB 322083 regarding End of Availability for NSX Network Introspection

Cause

E-W Network Introspection was activated in NSX Manager but a Partner Service does not exist, which is common after uninstalling a Partner Network Introspection service.  It is normal for the SPF port to be blocked as the service is only partially configured.   

[root@esxi_host:~] summarize-dvfilter

world ##### vmm0:vm1 vcUuid:'## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ##'
 port 67108923 vm1.eth0
  vNic slot 2            <---------------- Distributed Firewall Slot
   name: nic-#####-eth1-vmware-sfw.2
   agentName: vmware-sfw
   state: IOChain Attached
   vmState: Attached
   failurePolicy: failClosed
   serviceVMID: 2
   filter source: Dynamic Filter Creation
   moduleName: nsxt-vsip-######
  vNic slot 12            <---------------- Service Insertion Slot
   name: nic-#####-eth1-vmware-si.12
   agentName: vmware-si
   state: IOChain Attached
   vmState: Detached
   failurePolicy: failOpen
   serviceVMID: none
   filter source: Dynamic Filter Creation
   moduleName: nsxt-vsip-######


[root@esxi_host:~] net-dvs -l| less
        port spfPort#######:
                com.vmware.common.port.alias = spfPort####### ,        propType = CONFIG
                com.vmware.common.port.connectid = 0 ,  propType = CONFIG
                com.vmware.common.port.backingType = nsx ,      propType = CONFIG
                com.vmware.common.port.portgroupid =  ,         propType = CONFIG
                com.vmware.common.port.block = true ,   propType = CONFIG    <---------------- port is in block state
                com.vmware.port.extraConfig.vnic.external.id = spfVif########### ,       propType = CONFIG POLICY
.
.
                com.vmware.common.port.volatile.status = inUse linkUp blocked portID=###### Port blocked by admin propType = RUNTIME    <---------------- This shows the port was intentionally blocked
                com.vmware.common.port.volatile.vlan = VLAN 0
                        propType = RUNTIME VOLATILE
                com.vmware.common.port.volatile.ptstatus = noPassthruReason=1,  propT

 

Resolution

Deactivate Introspection in NSX Manager

  1. Confirm there is not a Partner Service installed.
  2. Log in to the **NSX Manager UI**.
  3. Navigate to **Security > E-W Network Introspection**.
  4. Click on **Actions** 
  5. Select **Deactivate E-W Network Introspection**

There is no impact to the data plane if there is not a Partner Service installed.

Powered by Wolken Software