Virtual Machines Not Receiving DHCP Offers Due to NSX Segment Security Profile
search cancel

Virtual Machines Not Receiving DHCP Offers Due to NSX Segment Security Profile

book

Article ID: 437286

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Virtual machines (VMs) connected to a distributed port group (NSX Segment) fail to complete DHCP IP renewal requests.

  • The client VM transmits DHCP Discover messages but does not receive any DHCP Offer responses.

  • Packet captures on the DHCP server VM confirm that DHCP Offer messages are actively transmitted toward the client VMs.

  • Packet captures on the client VM show only outgoing DHCP Discover messages, indicating packet drops in transit.

Environment

  • VMware Cloud Foundation (VCF) 9.x
  • VMware NSX 9.x
  • VMware NSX
  • VMware vSphere ESXi

Cause

The NSX Segment Security Profile assigned to the affected segment (typically default-segment-security-policy) has the "DHCP Server Block" feature enabled by default.

This security setting drops DHCP traffic originating from a DHCP server toward the DHCP client, effectively blocking the DHCP Offer packets.


Resolution

  1. Log in to the NSX Manager user interface.

  2. Navigate to Networking > Segments > Segment Security Profiles.

  3. Create a new Segment Security Profile and ensure the DHCP Server Block setting is toggled to Disabled.

  4. Navigate to Networking > Segments and edit the affected segment(s).

  5. Apply the newly created Segment Security Profile to the segment, replacing the default default-segment-security-policy.

  6. Save the configuration and verify the client VMs successfully receive DHCP offers.

 

Additional Information

Virtual machines are not receiving DHCP offers on a distributed port group Create an NSX Segment Security Segment Profile

Powered by Wolken Software